b'  DEPARTMENT OF HOMELAND SECURITY\n\n           Office of Inspector General\n\n                      Information Technology\n                         Management Letter\n                        for the FY 2005 DHS\n                     Financial Statement Audit\n                              (Redacted)\n\n\n\n\n Notice: The Department of Homeland Security, Office of Inspector General, has redacted\n this report for public release. The redactions are identified as (b)(2), comparable to 5\n U.S.C. \xc2\xa7 552 (b)(2). A review under the Freedom of Information Act will be conducted upon\n request.\n\n\n\n\n            Office of Information Technology\nOIG-06-49                                                                  July 2006\n\x0c                                                                         Office of Inspector General\n\n                                                                         U.S. Department of Homeland Security\n                                                                         Washington, DC 20528\n\n\n\n\n                                          July 10, 2006\n\n                                              Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by\nthe Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General\nAct of 1978. This is one of a series of audit, inspection, and special reports published by our office\nas part of our DHS oversight responsibility to promote economy, effectiveness, and efficiency within\nthe department.\n\nThis report presents the information technology (IT) management letter for DHS\xe2\x80\x99 FY 2005 financial\nstatement audit. It contains observations and recommendations related to information technology\ninternal control that were not required to be reported in the financial statement audit report (OIG-06-\n09, November 2005) and represents the separate restricted distribution report mentioned in that\nreport. The independent accounting firm KPMG LLP (KPMG) performed the audit of DHS\xe2\x80\x99\nfinancial statement as of September 30, 2005, and prepared this IT management letter. KPMG is\nresponsible for the attached IT management letter dated December 15, 2005, and the conclusions\nexpressed in it. We do not express opinions on DHS\xe2\x80\x99 financial statements or internal control or\nconclusion on compliance with laws and regulations.\n\nThe recommendations herein have been discussed in draft with those responsible for\nimplementation. It is our hope that this report will result in more effective, efficient, and economical\noperations. We express our appreciation to all of those who contributed to the preparation of this\nreport.\n\n\n                                              Richard L. Skinner\n                                              Inspector General\n\x0c\x0c\x0c                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2005\n\n\n\n\n                 INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                     TABLE OF CONTENTS\n                                                                                            Page\n\nObjective, Scope and Approach                                                                1\n\nSummary of Findings and Recommendations                                                      2\n\nFindings by Audit Area                                                                       2\n\n       Entity-Wide Security Program Planning and Management                                  2\n\n       Access Controls                                                                       3\n\n       Application Software Development and Change Controls                                  4\n\n       System Software                                                                       4\n\n       Segregation of Duties                                                                 5\n\n       Service Continuity                                                                    5\n\n       Application Controls                                                                  6\n\n                                         APPENDICES\n\n    Appendix                                        Subject                                 Page\n\n\n                    Description of Key Financial Systems and IT Infrastructure within the\n        A                                                                                    8\n                    Scope of the FY 2005 DHS Financial Statement Audit\n\n\n\n                    FY 2005 Notice of IT Findings and Recommendations - Detail by DHS\n        B                                                                                    15\n                    Organizational Element\n\n\n\n                    Status of Prior Year Notices of Findings and Recommendations and\n        C                                                                                    53\n                    Comparison to Current Year Notices of Findings and Recommendations\n\n\n        D           Management Response to Draft DHS IT Management Letter                    59\n\x0c                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2005\n\n\n                OBJECTIVE, SCOPE AND APPROACH\nKPMG performed an audit of DHS IT general controls in support of the FY 2005 DHS financial\nstatement engagement. The overall objective of our audit was to evaluate the effectiveness of IT\ngeneral controls of DHS\xe2\x80\x99 financial processing environment and related IT infrastructure as necessary\nto support the engagement. The Federal Information System Controls Audit Manual (FISCAM),\nissued by the Government Accountability Office, formed the basis of our audit. The scope of the IT\ngeneral controls assessment included testing at DHS\xe2\x80\x99 Office of the Chief Financial Officer (OCFO),\nand all significant DHS component as described in Appendix A.\n\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to\nassist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial audit. FISCAM also provides guidance to IT auditors when considering the scope and\nextent of review that generally should be performed when evaluating general controls and the IT\nenvironment of a federal agency. FISCAM defines the following six control functions to be essential\nto the effective operation of the general IT controls environment.\n\n    \xe2\x80\xa2   Entity-wide security program planning and management (EWS) \xe2\x80\x93 Controls that provide a\n        framework and continuing cycle of activity for managing risk, developing security policies,\n        assigning responsibilities, and monitoring the adequacy of computer-related security controls.\n    \xe2\x80\xa2   Access control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n        programs, equipment, and facilities) to protect against unauthorized modification, loss, and\n        disclosure.\n    \xe2\x80\xa2   Application software development and change control (ASDCC) \xe2\x80\x93 Controls that help to\n        prevent the implementation of unauthorized programs or modifications to existing programs.\n    \xe2\x80\xa2   System software (SS) \xe2\x80\x93 Controls that limit and monitor access to powerful programs that\n        operate computer hardware.\n    \xe2\x80\xa2   Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an\n        organizational structure to prevent one individual from controlling key aspects of computer-\n        related operations, thus deterring unauthorized actions or access to assets or records.\n    \xe2\x80\xa2   Service continuity (SC) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n        without interruption, or with prompt resumption, when unexpected events occur.\n\nIn addition to testing DHS\xe2\x80\x99 general control environment, KPMG performed application control tests\non a limited number of DHS financial systems and applications. The application control testing was\nperformed to assess the controls that support the financial systems\xe2\x80\x99 internal controls over the input,\nprocessing, and output of financial data and transactions.\n\n    \xe2\x80\xa2   Application Controls (APC) - Application controls are the structure, policies, and procedures\n        that apply to separate, individual application systems, such as accounts payable, inventory,\n        payroll, grants, or loans.\n\nTo complement our general IT controls audit, we also performed technical security testing for key\nnetwork and system devices, as well as testing over key financial application controls. The technical\nsecurity testing was performed both over the Internet and from within select DHS facilities, and was\nfocused on test, development, and production devices that directly support DHS financial processing\nand key general support systems.\n\n        Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                             1\n\x0c                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2005\n\n\n    SUMMARY OF FINDINGS AND RECOMMENDATIONS\nDuring FY 2005 DHS took corrective action to address many prior year IT control weaknesses.\nHowever, during FY 2005, we continued to find IT general control weaknesses at each DHS\ncomponent. The most significant information security weaknesses from a financial statement audit\nperspective relate to entity-wide security, access controls, and service continuity. Collectively, these\nIT control weaknesses limit DHS\xe2\x80\x99 ability to ensure that critical financial and operational data is\nmaintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these\nweaknesses negatively impact the internal controls over DHS financial reporting and its operation,\nand we consider them to collectively represent a material weakness for financial system security\nunder standards established by the AICPA and accepted by the GAO.\n\nDuring fiscal year 2005, DHS took several actions to improve its IT general control environment, and to\naddress many prior year general IT control issues. For example, the Coast Guard has begun performing\nregular technical vulnerability scans on their information technology network and key systems. These\nscans resulted in the reduction of the number of conditions our audit team identified during our testing. In\naddition, DHS issued an update to DHS Policy 4300A, Sensitive System Handbook. The purpose of this\nHandbook update was to provide specific techniques and procedures for implementing the requirements\nof DHS\xe2\x80\x99 IT Security Program for Sensitive Systems. These actions resulted in the correction of some\nconditions we reported in 2004. DHS needs further emphasis on the monitoring and enforcement of the\npolicies and procedures through the performance of periodic security control assessments and audits.\n\n                       FINDINGS BY IT AUDIT AREA\nEntity-Wide Security Program Planning and Management\n\nDuring FY 2005 DHS continued to make progress in having all of its financial systems certified and\naccredited. However, continued efforts are needed, especially in the areas of program management\nrelated to the detection and monitoring of technical information security weaknesses. Collectively,\nthe identified entity-wide security planning and management issues, coupled with the access control\nissues described later in this management letter, reduce the overall effectiveness of the entity-wide\nsecurity programs for the individual DHS components and the overall Department.\n\nConditions noted in FY 2005 regarding entity-wide security program planning and management at\nDHS were:\n\n\xe2\x80\xa2   EWS-05\xe2\x80\x931: Despite improvements in the process of performing Certification and Accreditation\n    (C&A) of IT systems, five DHS component financial and associated feeder systems were not properly\n    certified and accredited.\n\xe2\x80\xa2   EWS-05-2: Instances of fragmented, incomplete, or missing security policies and procedures relating\n    to the hiring and termination of employees, reviewing of access to key financial systems, computer\n    incident response capabilities, and interconnectivity agreements exist.\n\nRecommendations:\n\nWe recommend that the DHS Office of Chief Information Officer in coordination with the OCFO:\n        Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                             2\n\x0c                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2005\n\na) Ensure adherence to a DHS C&A program across all DHS components, which should include an\n   emphasis on a consistent and thorough approach to the testing of key technical controls during the\n   certification process; and\nb) Ensure the consistent implementation of security programs, policies, and procedures.\n\nAccess Controls\n\nDuring FY 2005 we noted significant access control vulnerabilities with internal IT systems (i.e.,\ninside the components\xe2\x80\x99 firewalls). These are significant issues because personnel inside the\norganization who best understand the organization\xe2\x80\x99s systems, applications, and business processes are\nable to have unauthorized access to some systems and applications. Some of the identified vulnerable\ndevices are used for test and development purposes. In some cases, users are able to access test and\ndevelopment devices with group passwords, system default passwords, or the same passwords with\nwhich they log into production devices. As a result, test and development devices could be a target of\nhackers/crackers to obtain information (i.e., user password listings) that can be used to attempt further\naccess into DHS\xe2\x80\x99 IT environment.\n\nConditions noted in FY 2005 regarding access controls at DHS were:\n\n\xe2\x80\xa2   AC-05-1: Instances of missing and weak user passwords on key servers and databases.\n\xe2\x80\xa2   AC-05-2: User account lists were not periodically reviewed for appropriateness, and inappropriate\n    authorizations and excessive access privileges for group user accounts were allowed.\n\xe2\x80\xa2   AC-05-3: Instances where workstations, servers, or network devices were configured without\n    necessary security patches, or were not configured in the most secure manner.\n\xe2\x80\xa2   AC-05-4: Application and operating system settings were not configured for automatic log-off or\n    account lockout.\n\nRecommendations:\n\nWe recommend that the DHS Office of Chief Information Officer in coordination with the OCFO:\na) Ensure that password controls meet DHS password requirements on all key financial systems;\nb) Implement an account management certification process within all the components, to ensure the\n   periodic review of user accounts for appropriate access;\nc) Implement a DHS-wide patch and security configuration process, and ensure compliance with the\n   requirement that systems are periodically tested by individual DHS components and the DHS-CIO;\n   and\nd) Conduct periodic vulnerability assessments, whereby systems are periodically reviewed for access\n   controls not in compliance with DHS and Federal guidance.\n\n\n\n\n        Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                             3\n\x0c                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2005\n\n\nApplication Software Development and Change Control\n\nDuring FY 2005 we noted that DHS took corrective actions to address IT control issues related to\napplication software changes. However, we noted that in some cases the application software change\ncontrol documentation was still not consistent with DHS systems development life cycle (SDLC)\nguidance.\n\nConditions noted in FY 2005 regarding application system development and change control at DHS\nand its components were:\n\n\xe2\x80\xa2   ASDCC-05-1: Instances where policies and procedures regarding configuration management\n    controls were not in place to prevent users from having concurrent access to the development, test,\n    and production environments of the system.\n\xe2\x80\xa2   ASDCC-05-2: Changes made to the configuration of the system were not always documented\n    through System Change Requests (SCRs), test plans, test results, or software modifications.\n    Additionally, documented approval did not exist, or was not always retained, for emergency\n    enhancements, \xe2\x80\x9cbug\xe2\x80\x9d fixes, and data fixes, and in some cases, audit logs for tracking changes to the\n    data or systems were not activated.\n\nRecommendations:\n\nWe recommend that the DHS Office of Chief Information Officer in coordination with the OCFO:\n\na) Develop and implement policies and procedures regarding configuration management controls, and\n   ensure that users do not have concurrent access to development, test, and production environments;\n   and\nb) Ensure adherence to policies that require changes to the configuration of the system are approved and\n   documented, and audit logs are activated and reviewed on a periodic basis.\n\nSystem Software\n\nWe noted weaknesses in programs designed to operate and control the processing activities of\ncomputer equipment. Weaknesses in this control area, closely linked to entity-wide security and\naccess controls, increase the likelihood that unauthorized individuals using system software could\ncircumvent security controls to read, modify, or delete critical or sensitive information and programs.\nAuthorized users of the system could gain unauthorized privileges to conduct unauthorized actions;\nand/or systems software could be used to circumvent edits and other controls built into application\nprograms.\n\nConditions noted regarding system software at DHS were:\n\n\xe2\x80\xa2   SS-05-1: Instances where policies and procedures for restricting and monitoring access to operating\n    system software were not implemented or were inadequate. In some cases, the ability to monitor\n    security logs did not exist.\n\n        Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                             4\n\x0c                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2005\n\n\n\xe2\x80\xa2   SS-05-2: Changes to sensitive operating system settings and other sensitive utility software and\n    hardware were not always documented.\n\nRecommendation:\n\nWe recommend that the DHS Office of Chief Information Officer, in coordination with the OCFO,\nmonitor the use, and changes related to operating systems, and other sensitive utility software and\nhardware.\n\nSegregation of Duties\n\nDuring FY 2005, we continued to note instances where an individual controlled more than one critical\nfunction within a process, increasing the risk that erroneous or fraudulent transactions could be\nprocessed, improper program changes could be implemented, and computer resources could be\ndamaged or destroyed, without detection. Additionally, we noted a lack of segregation of duties\nbetween major operating and programming activities, including duties performed by users,\napplication programmers, and data center staff.\n\nConditions noted regarding segregation of duties at DHS were:\n\n\xe2\x80\xa2   SD-05-1: Instances where individuals were able to perform incompatible functions, such as the\n    changing, testing, and implementing of software, without sufficient compensating controls in place.\n\xe2\x80\xa2   SD-05-2: Instances where key security positions were not defined or assigned, and descriptions of\n    positions were not documented or updated.\n\nRecommendations:\n\nWe recommend that the DHS Office of Chief Information Officer in coordination with the OCFO:\na) Document user responsibilities so that incompatible duties are consistently separated. If this is not\n   feasible given the smaller size of certain functions, then sufficient compensating controls, such as\n   periodic peer reviews, should be implemented; and\nb) Assign personnel to key security positions, and ensure that position descriptions are kept current.\n\nService Continuity\n\nDuring FY 2005 we noted that DHS took some corrective actions to address IT control issues related\nto developing contingency plans and the back-up and protection of critical system data. Despite these\nimprovements, weaknesses related to business continuity plans continue to exist. These issues are\nimportant because losing the capability to process, retrieve, and protect information maintained\nelectronically can significantly affect an agency\xe2\x80\x99s ability to accomplish its mission.\n\nConditions noted regarding service continuity at DHS were:\n\n\n\n        Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                             5\n\x0c                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2005\n\n\n\xe2\x80\xa2   SC-05-1: Five DHS components had incomplete or outdated business continuity plans and systems\n    with incomplete or outdated disaster recovery plans. Some plans did not contain current system\n    information, emergency processing priorities, procedures for backup and storage, or other critical\n    information.\n\xe2\x80\xa2   SC-05-2: Five DHS component\xe2\x80\x99s service continuity plans were not consistently and/or adequately\n    tested, and individuals did not receive training on how to respond to emergency situations.\n\nRecommendations:\n\nWe recommend that the DHS Office of Chief Information Officer in coordination with the OCFO:\n\na) Develop and implement complete and current business continuity and system disaster recovery plans,\n   and\nb) Perform component-specific and DHS-wide testing of key service continuity capabilities, and assess\n   the need to provide appropriate and timely emergency training.\n\nApplication Controls\n\nDuring FY2005, we noted several instances of weak access and segregation of duty controls associated\nwith key DHS financial applications, such as a DHS component\xe2\x80\x99s core financial application, as well as\nprocurement and payable applications. These weaknesses include weak or expired user passwords, user\naccounts that were not kept current, and certain users with access privileges to certain key processes of an\napplication. Many of these weaknesses were identified during our general control testing of access\ncontrols and segregation of duties; however, since these same issues also impact controls over specific\nkey financial applications, they are reported here as well.\n\nConditions noted regarding application controls at DHS and its components were:\n\n\xe2\x80\xa2   APC-05-1: Instances of missing and weak user passwords on key application servers and\n    databases.\n\xe2\x80\xa2   APC-05-2: User account lists were not periodically reviewed for appropriateness, and inappropriate\n    authorizations and excessive access privileges for group user accounts were allowed.\n\xe2\x80\xa2   APC-05-3: Instances where individuals were able to perform incompatible functions, such as the\n    changing, testing, and implementing of software, without sufficient compensating controls in place.\n\nRecommendations:\n\nWe recommend that the DHS Office of Chief Information Officer in coordination with the OCFO:\n\na) Ensure that password controls meet DHS password requirements on all key financial systems;\nb) Implement an account management certification process within all the components, to ensure the\n   periodic review of user accounts for appropriate access; and\n\n        Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                             6\n\x0c                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2005\n\n   c) Document the user responsibilities so that incompatible duties are consistently separated. If this is\n      not feasible given the smaller size of certain functions, then sufficient compensating controls, such as\n      periodic peer reviews, should be implemented.\n\n\nMANAGEMENT COMMENTS AND OIG EVALUATION\n\nWe obtained written comments on a draft of this report from the DHS CIO. Generally, the DHS CIO\nagreed with all of the report\xe2\x80\x99s findings and recommendations. However as noted in the summary section\nof the status spreadsheet, components did not concur with ten (10) of the NFRs and the DHS CIO is\ncurrently working to fully document all \xe2\x80\x9cnon-concurs.\xe2\x80\x9d We have incorporated the comments where\nappropriate and included a copy of the comments at Appendix D.\n\n\n\nOIG Response\n\nWe accept the DHS CIO\xe2\x80\x99s response to the recommendations in this report and are encouraged that the\nDHS CIO will work with each DHS component to ensure that a Plan of Action and Milestones (POA&M)\nis developed for each of the 88 NFRs. We are also encouraged by the DHS CIO\xe2\x80\x99s commitment to take\ncorrective actions on these IT NFRs during the FY 2006 DHS Financial Statement Audit. However, the\nDHS CIO\xe2\x80\x99s response did not provide details on any planned corrective actions for each of the\nrecommendations outlined in this report. KPMG will follow up on the corrective actions for these\nrecommendations during the FY 2006 Financial Statement Audit.\n\n\n\n\n           Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                7\n\x0c                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2005\n\n\n\n\n                                       Appendix A\n\nDescription of Key Financial Systems and IT Infrastructure within\n    the Scope of the FY 2005 DHS Financial Statement Audit\n\n\n\n\n      Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                           8\n\x0c                                                                                             Appendix A\n\n                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2005\n\n\nBelow is a description of significant DHS financial management systems and supporting IT\ninfrastructure included in the scope of the financial statement audit for the twelve months ended\nSeptember 30, 2005.\n\nUnited States Citizen and Immigration Services (USCIS)\n\nLocations of Audit: USCIS Headquarters in Washington, D.C., as well as offices in Texas, Vermont\nand Nebraska.\n\nKey Systems Subject to Audit:\n\n\xe2\x80\xa2   Federal Financial Management System (FFMS) \xe2\x80\x93 The Immigration and Customs Enforcement\n    (ICE) component owns and operates FFMS. ICE performs the financial reporting function for\n    USCIS, using FFMS per the shared services agreement with USCIS. FFMS is a commercial off-\n    the-shelf financial reporting system that was fully implemented in FY 2003. FFMS is the official\n    system of record and is built in Oracle 8i Relational Database Management System. It includes\n    the core system used by accountants, FFMS Desktop, which is used by average users, and a\n    National Finance Center payroll interface. FFMS supports all USCIS core financial processing.\n    FFMS uses a Standard General Ledger (SGL) for the accounting of agency financial transactions.\n\n\xe2\x80\xa2   Claims 3 Local Area Network (LAN) \xe2\x80\x93 Claims 3 LAN provides USCIS with a decentralized LAN\n    based system that supports the requirements of the Direct Mail Phase I and II, Immigration Act of\n    1990 (IMMACT 90) and USCIS Forms Improvement projects. The Claims 3 LAN is located at\n    each of the service centers (Nebraska, California, Texas, Vermont, and the National Benefits\n    Center). The main purpose of Claims 3 is to enter and track immigration applications.\n\n\xe2\x80\xa2   Claims 4 - The purpose of Claims 4 is to track and manage naturalization applications. Claims 4\n    resides on multiple platforms, including a Siemens E70 located in Dallas, Texas. Claims 4 data is\n    centrally stored within one Oracle Database. Software is developed and maintained in the Oracle\n    relational database (RDBMS) and Microsoft Visual Basic environments.\n\nImmigration and Customs Enforcement (ICE)\n\nLocations of Audit: ICE Headquarters in Washington, D.C., as well as offices in Texas, Vermont and\nNebraska.\n\nKey System Subject to Audit:\n\n\xe2\x80\xa2   Federal Financial Management System (FFMS) \xe2\x80\x93 ICE owns and operates FFMS. ICE performs\n    the financial reporting function for CIS, MGT, IAIP, and S&T using FFMS per the shared\n    services agreement these agencies have with ICE. FFMS is a commercial off-the-shelf financial\n    reporting system that was fully implemented in FY 2003. FFMS is the official system of record\n    and is built in Oracle 8i Relational Database Management System. It includes the core system\n    used by accountants, FFMS Desktop that is used by average users, and a National Finance Center\n    payroll interface. FFMS supports all USCIS/ICE core financial processing and uses a Standard\n    General Ledger (SGL) for the accounting of agency financial transactions.\n\n\n        Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                             9\n\x0c                                                                                                          Appendix A\n\n                                    Department of Homeland Security\n                                Information Technology Management Letter\n                                           September 30, 2005\n\nUnited States Coast Guard\n\nLocations of Audit: Coast Guard Headquarters in Washington, DC; the Aviation Repair and Supply\nCenter (ARSC) in Elizabeth City, North Carolina; ---------------------------------------------------- ---\n--------------- ------------------------------------ -------------------------------------------- ----------------------\n-------------------------------- ---------------- --------------\n\nKey Systems Subject to Audit:\n\n\xe2\x80\xa2   Core Accounting System (CAS) \xe2\x80\x93 CAS is the core accounting system that records financial\n    transactions and generates financial statements for the Coast Guard. CAS is hosted at ---------- ,\n    the Coast Guard\xe2\x80\x99s primary data center.\n\n\xe2\x80\xa2   Financial Procurement Desktop (FPD) \xe2\x80\x93 The FPD application used to create and post obligations\n    to the core accounting system. It allows users to enter funding, create PR\xe2\x80\x99s, issue procurement\n    documents, perform system administration responsibilities, and reconcile weekly Program\n    Element Status (PES) reports.\n\n\xe2\x80\xa2   Workflow Imaging Network System (WINS) - WINS is the document image processing system,\n    which is integrated with an Oracle Developer/2000 relational database. WINS allows electronic\n    data and scanned paper documents to be imaged and processed for data verification,\n    reconciliation and payment. WINS utilizes MarkView software to scan documents and to view\n    the images of scanned documents and to render images of electronic data received.\n\n\xe2\x80\xa2   Naval Electronics Supply Support System (NESSS) \xe2\x80\x93 Formerly named the Supply Center\n    Computer Replacement System (SCCR), NESSS is hosted at------- NESSS is the primary\n    financial application for the Engineering Logistics Command (ELC), the Supply Fund, and the\n    Yard fund. Also housed at ----- is the Fleet Logistics System (FLS), a web-based application\n    designed to automate the management of Coast Guard vessel logistics by supporting the following\n    functions: configuration, maintenance, supply and finance. In addition, ----- is responsible for\n    CMPlus, the central repository for activities associated with maintaining Coast Guard assets at the\n    unit level.\n\nSeveral other key Coast Guard financial applications support military personnel and payroll, retired\npay, and travel claims. These applications are hosted at the PSC, which was formerly known as the\nHuman Resources Services and Information Center. These applications include the Personnel\nManagement Information System (PMIS) and the Joint Uniform Military Pay System (JUMPS). Also\nhoused at PSC is the PeopleSoft 8.3 Direct Access application, which is used by members for self-\nservice functions, including updating and viewing personal information.\n\nIn addition, the Coast Guard maintains hosts on the Internet in thirteen Internet Protocol (IP) address\nranges. Hosts within these ranges support various Web based applications, e-mail servers, and File\nTransfer Protocol (FTP) servers.\n\n\n\n\n         Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                    10\n\x0c                                                                                                        Appendix A\n\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2005\n\nUnited States Customs and Border Protection (CBP)\n\nLocations of Audit: ------- --------------------------------------------------------------- ---------------- -\n----------------------------------------------------------------\n\nKey Systems Subject to Audit:\nBelow is a description of significant CBP financial management systems and supporting IT\ninfrastructure included in the scope of the September 30, 2005 CBP consolidated balance sheet audit.\n\n\xe2\x80\xa2   --------------- ---------------- ---------------- ---------- -------- was decommissioned in FY 2005 and\n    replaced by SAP. It was CBP\'s IBM --- ----- -- - -based financial management system that\n    supported primary financial accounting and reporting processes, and a number of additional\n    subsystems for specific operational and administrative management functions. The core system\n    consisted of general ledger, accounts receivable, disbursements/payables, purchasing, and budget\n    execution modules. ---------was hosted on a customized version of ---- --------------------- ---\n    --- ----- - ----- --------------------------------- ----- --------\n\n\xe2\x80\xa2   ---------- ------- is a client/server-based financial management system that was implemented\n    beginning in FY 2004 to ultimately replace the ------- ---------------- ---------------- --- ----- ------ -\n    using a phased approach. The ---------------------- ---- - -- - --- -- ------ was implemented and utilized\n    in FY 2004. In FY 2005, the Funds Management, Budget Control System, General Ledger,\n    Internal Orders, Sales and Distribution, Special Purpose Ledger, and Accounts Payable modules\n    were implemented.\n\n\xe2\x80\xa2   --------------- - ---------------------------- -------- is a collection of mainframe-based applications\n    used to track, control, and process all commercial goods, conveyances and private aircraft\n    entering the United States territory, for the purpose of collecting import duties, fees, and taxes\n    owed the Federal government.\n\n\xe2\x80\xa2   ---------------- ------------------------------------------------ \xe2\x80\x93 Used for tracking seized assets, Customs\n    Forfeiture Fund, and fines & penalties.\n\nDHS Consolidated\n\nLocation of Audit: DHS Headquarters in Washington, D.C.\n\nKey Systems Subject to Audit:\n\n\xe2\x80\xa2   Treasury Information Executive Repository (TIER) \xe2\x80\x93 The system of record for the DHS\n    consolidated financial statements is TIER. The DHS components update TIER on a monthly\n    basis with data extracted from their core financial management systems. TIER subjects\n    component financial data to a series of validation and edit checks before it becomes part of the\n    system of record. Data cannot be modified directly in TIER, but must be resubmitted as an input\n    file.\n\n\xe2\x80\xa2   CFO Vision \xe2\x80\x93 CFO Vision interfaces with TIER, and is used for the consolidation of the financial\n    data and the preparation of the DHS financial statements.\n\n         Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                  11\n\x0c                                                                                             Appendix A\n\n                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2005\n\nThe TIER and CFO Vision applications reside on the Department of Treasury\xe2\x80\x99s (Treasury) network\nand are administered by Treasury. Treasury is responsible for the administration of the TIER\nWindows NT server, Oracle 8i database, and the TIER and CFO Visions applications. The DHS\nOffice of Financial Management (OFM) is responsible for the administration of DHS user accounts\nwithin the TIER and CFO Vision applications.\n\nLimited Scope\n\nLocation of Audit: We performed follow-up on a FY 2003 finding at the ---- - --------------------- ----\n---------------- ------------------------------- ------- - ------ - ------\n\nSystem Subject to Audit:\nThe Momentum Financial System is FLETC\xe2\x80\x99s core computerized system that processes financial\ndocuments generated by various FLETC divisions in support of procurement, payroll, budget and\naccounting activities.\n\nFederal Emergency Management Agency (FEMA)\n\nLocations of Audit: FEMA Headquarters in Washington, D.C., and the------ - - ------------------------\n------- -------- - ------------------------------ ----------------\n\nKey Systems Subject to Audit:\n\n\xe2\x80\xa2   Integrated Financial Management Information System (IFMIS) \xe2\x80\x93 IFMIS is the key financial\n    reporting system, and has several feeder subsystems (budget, procurement, accounting, and other\n    administrative processes and reporting).\n\n\xe2\x80\xa2   National Emergency Management Information System (NEMIS) \xe2\x80\x93 NEMIS is an integrated system\n    to provide FEMA, the states, and certain other federal agencies with automation to perform\n    disaster related operations. NEMIS supports all phases of emergency management, and provides\n    financial related data to IFMIS via an automated interface.\n\n\xe2\x80\xa2   Logistical Information Management System (LIMS III) \xe2\x80\x93 LIMS III provides for material\n    management, maintenance, and logistics reporting.\n\n\xe2\x80\xa2   National Flood Insurance Program System \xe2\x80\x93 The system provides loss projections, recovery\n    rates, and, maintains customer records for the flood insurance program.\n\n\xe2\x80\xa2   Quicktime - Time and Attendance Collection System \xe2\x80\x93 A web-based system used to collect hours\n    worked and leave used by all employees in FEMA. The data collected is transmitted to the\n    National Finance Center for paycheck preparation.\n\nOffice of State and Local Government Coordination and Preparedness (SLGCP)\n\nLocation of Audit: SLGCP Headquarters in Washington, D.C.\n\nKey Systems Subject to Audit:\n\n\n        Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                             12\n\x0c                                                                                             Appendix A\n\n                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2005\n\nSLGCP\xe2\x80\x99s IT platforms are hosted and supported by the Department of Justice\xe2\x80\x99s Office of Justice\nPrograms (OJP). The following is a list of key financial related applications supporting SLGCP.\n\n\xe2\x80\xa2   IFMIS (same application as FEMA\xe2\x80\x99s, but hosted at OJP) \xe2\x80\x93 IFMIS consists of five modules that\n    include: budget, cost posting, disbursement, general ledger, and accounts receivable. Users\n    access the system through individual workstations that are installed throughout SLGCP and OJP.\n    The current IFMIS version does not have the ability to produce external federal financial reports\n    (i.e., SF132 and SF133) and financial statements. IFMIS was updated in February 2002 with the\n    version certified by the Joint Financial Management Improvement Program (JFMIP).\n\n\xe2\x80\xa2   Grants Management System (GMS) \xe2\x80\x93 GMS supports the SLGCP grant management process\n    involving the receipt of grant applications and grant processing activities. GMS is divided into\n    two logical elements. There is a grantee and an administration element within the system. The\n    grantee component provides the Internet interface and functionality required for all of the\n    grantees to submit grant applications on-line. The second component, the administration\n    component, provides SLGCP/OJP personnel the tools required to store, process, track and\n    ultimately make decisions about the applications submitted by the grantee. This system does not\n    interface directly with IFMIS.\n\n\xe2\x80\xa2   Line of Credit Electronic System (LOCES) \xe2\x80\x93 The LOCES allows recipients of SLGCP funds to\n    electronically request payment from OJP on one day and receive a direct deposit to their bank for\n    the requested funds usually on the following day. Batch information containing draw down\n    transaction information from LOCES is transferred to IFMIS. The IFMIS system then interfaces\n    with Treasury to transfer payment information to Treasury, resulting in a disbursement of funds\n    to the grantee.\n\n\xe2\x80\xa2   Paperless Request System (PAPRS) \xe2\x80\x93 This system allows grantees to access their grant funds.\n    The system includes a front and back end application. The front-end application provides the\n    interface where grantees make their grant requests. The back end application is primarily used by\n    accountants and certifying officials. The back end application also interfaces with the IFMIS\n    application. Batch information containing draw down transaction information from PAPRS is\n    interfaced with IFMIS. The IFMIS system then interfaces with Treasury to transfer payment\n    information to Treasury, resulting in a disbursement of funds to the grantee.\n\nTransportation Security Administration (TSA)\n\nLocations of Audit: TSA Headquarters in Washington, D.C. ----- - ----------------------------------------\n--------------- ---------- TSA\xe2\x80\x99s financial applications are hosted on the Coast Guard\xe2\x80\x99s IT platforms.\n\nKey Systems Subject to Audit:\nThe Coast Guard is a service provider for Transportation Security Administration (TSA) by\nmaintaining the Core Accounting System. This application is housed at the ---------------- -------- -\n----------------------------------------\n\n\xe2\x80\xa2   Core Accounting System (CAS) \xe2\x80\x93 CAS is the core accounting system that records financial\n    transactions and generates financial statements for TSA. CAS is hosted at ----------- the Coast\n    Guard\xe2\x80\x99s primary data center.\n\n\n        Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                             13\n\x0c                                                                                                  Appendix A\n\n                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2005\n\n\xe2\x80\xa2   Financial Procurement Desktop (FPD) \xe2\x80\x93 The FPD application used to create and post obligations\n    to the core accounting system. It allows users to enter funding, create PR\xe2\x80\x99s, issue procurement\n    documents, perform system administration responsibilities, and reconcile weekly PES Reports.\n\n\xe2\x80\xa2   Workflow Imaging Network System (WINS) - WINS is the document image processing system,\n    which is integrated with an Oracle Developer/2000 relational database. WINS allows electronic\n    data and scanned paper documents to be imaged and processed for data verification,\n    reconciliation and payment. WINS utilizes MarkView software to scan documents and to view\n    the images of scanned documents and to render images of electronic data received.\n\n\xe2\x80\xa2   Consolidated Uniform Payroll System (CUPS) \xe2\x80\x93 CUPS maintains TSA payroll data, calculates\n    pay, wages, tax information and maintains service history and separation records. CUPS\n    interfaces with the Integrated Personnel and Payroll System (IPPS), Little IPPS, CUPS National,\n    CPMIS, DELPHI, and also receives other data inputs. CUPS is a mainframe application.\n\n\xe2\x80\xa2   Consolidated Personnel Management Information System (CPMIS) \xe2\x80\x93 CPMIS is the DOT\n    personnel management system. The system processes and tracks personnel actions and employee\n    related data for TSA, including employee elections for the Thrift Savings Plan (TSP), life\n    insurance, and health insurance as well as training data and general employee information (i.e.\n    name, address, etc.). CPMIS is also used to maintain information related to budget, training, civil\n    rights, labor relations and security. CPMIS is a mainframe application. CPMIS interfaces with\n    CUPS to allow CUPS to perform the calculation of pay, time and attendance reporting, leave\n    accounting, and wage and tax reporting. CUPS also uses the information received from CPMIS to\n    initiate payroll deductions for TSP, insurances, Combined Federal Campaign contributions, and\n    savings bonds.\n\n\xe2\x80\xa2   Integrated Personnel And Payroll System (IPPS) \xe2\x80\x93 IPPS processes requests for personnel action,\n    training enrollments, and time and attendance information. IPPS interfaces with CPMIS and\n    CUPS to receive time and attendance and payroll information. IPPS also interfaces with the IPPS\n    Management and Reporting (MIR) system. MIR is a client/server system that provides reporting\n    capability through an Oracle database.\n\nTSA payroll, time and attendance, and HR moved to the ----------------------------------------- -----\n-- -- ----------- ---------------------------------------- on August 22, 2005. For payroll, TSA will be using a\nKronos system called WebTA, a web-based system, which will interface with the------- system. The\nHRMaxEmpower system will be TSA\xe2\x80\x99s new HR system. The HRMaxEmpower system will also\ninterface with the ------ system.\n\n\n\n\n         Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                               14\n\x0c                                                                                          Appendix B\n\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2005\n\n\n\n\n                                      Appendix B\n\nFY2005 Notice of IT Findings and Recommendations - Detail by\n                DHS Organizational Element\n\n\n\n\n     Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                          15\n\x0c                                                                                      Appendix B\n\n                        Department of Homeland Security\n                    Information Technology Management Letter\n                               September 30, 2005\n\n\n\n\n           Department of Homeland Security\n            FY2005 Information Technology\nNotification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n         United States Citizenship and Immigration Services\n\n\n\n\n Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      16\n\x0c                                                                                                      Appendix B\n\n                                        Department of Homeland Security\n                                    Information Technology Management Letter\n                                               September 30, 2005\n\n                                  Department of Homeland Security\n                                   FY2005 Information Technology\n                       Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                    Citizenship and Immigration Services\n\n  IT NFRs Which Contributed to the Overall DHS Material Weakness for Financial System\n                                       Security\n\n                                                                                               Significant Findings\n                                                                                               Contributing to the\n                                                                                                  Overall DHS\nNFR #            Condition                       Recommendation               New     Repeat\n                                                                                               Material Weakness\n                                                                              Issue    Issue\n                                                                                                  for Financial\n                                                                                                 System Security\n                                          Allocate sufficient resources to\n                                          ensure that the proper\n                                          implementation policy\n        The site Certification and\n                                          requirements for all systems\n        Accreditation (C&A)\n                                          used to process, store, or\n        package for the California\nUSCIS                                     transmit classified or sensitive\n        Service Center, General                                                         X               X\n05-02                                     information to be accredited\n        Support System (GSS) -\n                                          every three years. Also,\n        Local Area Network (LAN)\n                                          consider issuing interim\n        is outdated and has expired.\n                                          accreditations that represent the\n                                          managers\xe2\x80\x99 explicit acceptance\n                                          of risks.\n                                          Allocate sufficient resources to\n                                          ensure that the proper\n                                          implementation policy\n                                          requirements for all systems\n        The C&A package for the           used to process, store, or\nUSCIS   Texas Service Center              transmit classified or sensitive\n                                                                               X                        X\n05-03   (TSC) GSS-LAN is                  information to be accredited\n        outdated and has expired.         every three years. Also,\n                                          consider issuing interim\n                                          accreditations that represent the\n                                          managers\xe2\x80\x99 explicit acceptance\n                                          of risks.\n        Access control weaknesses         Ensure that---- ------- -- system\n        such as account                   passwords are established and\n        management, password              maintained in accordance with\nUSCIS\n        length, and a lack of review      DHS and Federal guidance and                  X               X\n05-04\n        over audit records were           that warning banners are in\n        identified for the ------- - --   place when users logon to the\n        system.                           system.\n\n\n\n\n             Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                       17\n\x0c                                                                                                  Appendix B\n\n                                     Department of Homeland Security\n                                 Information Technology Management Letter\n                                            September 30, 2005\n\n                                                                                           Significant Findings\n                                                                                           Contributing to the\n                                                                                              Overall DHS\nNFR #           Condition                    Recommendation               New     Repeat\n                                                                                           Material Weakness\n                                                                          Issue    Issue\n                                                                                              for Financial\n                                                                                             System Security\n        A Novell NetWare server at     Test and install vendor supplied\n        USCIS\xe2\x80\x99 Texas Service           patches in a timely manner and\nUSCIS   Center (TSC) was               undertake frequent vulnerability\n                                                                           X                         X\n05-05   identified as not having the   scanning of all systems at TSC\n        correct vendor supplied        to verify that required patches\n        patches installed.             have been installed.\n        A vulnerability assessment     Ensure that the documented\n        over -- -- -- - ---at USCIS    password policy is enforced on\n        TSC noted that multiple        all systems and undertake\nUSCIS   local administrator            frequent vulnerability scanning\n                                                                           X                         X\n05-06   accounts had blank             on all systems at the TSC to\n        passwords including            verify that passwords have been\n        several accounts with          assigned and implemented\n        supervisor level access.       correctly.\n\n\n\n\n            Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                   18\n\x0c                                                                                      Appendix B\n\n                        Department of Homeland Security\n                    Information Technology Management Letter\n                               September 30, 2005\n\n\n\n\n           Department of Homeland Security\n            FY2005 Information Technology\nNotification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n         Immigration and Customs Enforcement\n\n\n\n\n Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      19\n\x0c                                                                                                     Appendix B\n\n                                          Department of Homeland Security\n                                      Information Technology Management Letter\n                                                 September 30, 2005\n\n                                     Department of Homeland Security\n                                      FY2005 Information Technology\n                          Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                     Immigration and Customs Enforcement\n\n               Management Comment: IT Notice of Findings and Recommendations\n\n                                                                                                  Management\nNFR #              Condition                       Recommendation              New     Repeat   Comment to DHS-\n                                                                               Issue    Issue    CIO and CFO\n          ICE does not have\n                                            Document and implement\n          procedures in place to\n                                            policies and procedures for the\n          periodically review --- -----\n                                            periodic review of --- ---- user\nICE 05-   ------ ----- --- - ---- ----\n                                            accounts, and ensure                         X              X\n  07      ----------------- - user access\n                                            administrative personnel\n          lists and could not provide\n                                            periodically perform reviews of\n          a list of all authorized\n                                            ------- user accounts.\n          ------- users upon request.\n\n\n\n\n               Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                        20\n\x0c                                                                                      Appendix B\n\n                        Department of Homeland Security\n                    Information Technology Management Letter\n                               September 30, 2005\n\n\n\n           Department of Homeland Security\n            FY2005 Information Technology\nNotification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n                     Customs and Border Protection\n\n\n\n\n Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      21\n\x0c                                                                                                              Appendix B\n\n                                            Department of Homeland Security\n                                        Information Technology Management Letter\n                                                   September 30, 2005\n\n                                      Department of Homeland Security\n                                       FY2005 Information Technology\n                           Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                             Customs and Border Protection\n\n        Significant IT NFRs Which Contributed to the Overall DHS Material Weakness for\n                                  Financial System Security\n\n                                                                                                      Significant Findings\n                                                                                                      Contributing to the\n                                                                                    New     Repeat       Overall DHS\nNFR #               Condition                     Recommendation\n                                                                                    Issue    Issue   Material Weakness for\n                                                                                                       Financial System\n                                                                                                            Security\n                                             Remove unnecessary\n          The Top Secret mainframe\n                                             central security\n          account administration on\n                                             administrator- ------\n          the---------------------- ------\n                                             privileges and accounts or\n          ------ -- --------- had several\nCBP-IT-                                      alternatively continue\n          weaknesses over                                                                     X               X\n 05-02                                       implementation of a --- ---\n          unauthorized access to\n                                             ------ ----------- -- for use by\n          accounts -------------- - --\n                                             authorized individuals\n          -- --- ---- and inactive\n                                             during pre-determined\n          accounts.\n                                             circumstances.\n                                             Develop enterprise-wide\n                                             solutions for improving\n                                             network and host-based\n                                             system configuration\n                                             design(s), consider the use\n                                             of security management\n                                             monitoring tools to prevent\n                                             possible intrusions, proceed\n          Improvements are needed            with the implementation of\n          in system logical access           -- ------ ---- - - - - -- - --------\nCBP-IT-\n          controls over network              provide more robust system                       X               X\n 05-09\n          assets affecting                   management security\n          - ------- -- ------- ------ ---    controls standards for\n                                             Windows-based production\n                                             servers, and consider the\n                                             development of a\n                                             compliance level policy for\n                                             adherence to CBP\n                                             password management\n                                             policies at the - - -- ---\n                                             -- - -- -------- --\n\n\n\n\n                Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                             22\n\x0c                                                                                                       Appendix B\n\n                                           Department of Homeland Security\n                                       Information Technology Management Letter\n                                                  September 30, 2005\n\n                                                                                               Significant Findings\n                                                                                               Contributing to the\n                                                                             New     Repeat       Overall DHS\nNFR #              Condition                    Recommendation\n                                                                             Issue    Issue   Material Weakness for\n                                                                                                Financial System\n                                                                                                     Security\n                                           Perform a formal review of\n                                           all personnel that have\n          CBP management did not\n                                           access to the --------- -----\n          adequately implement\n                                           ---- --- to determine those\n          procedures for restricting\n                                           that do not have a formal\n          access to the data center\nCBP-IT-                                    user access form in place,\n          located in---------- and\n05-14                                      establish a formal user            X                         X\n          several terminated\n                                           access form, and promptly\n          employees did not have\n                                           remove physical access\n          their badges deactivated in\n                                           rights to the -------- facility\n          a timely manner.\n                                           when an employee is\n                                           terminated.\n                                           Develop a formally\n          Eighteen (18) -----              documented process for\nCBP-IT-   ------ ---- -- were found with   granting normal and\n                                                                              X                         X\n 05-15    access to the production         emergency access for\n          environment.                     ------ ---- -- to the - -- -\n                                           production environment.\n                                           Perform a formal analysis\n          CBP has not configured\n                                           of the company code\nCBP-IT-   their version of---- -- to\n                                           setting to determine if it\n05-17     include a company code                                              X                         X\n                                           should be set to\n          setting of "productive."\n                                           \xe2\x80\x9cproductive\xe2\x80\x9d.\n                                           Ensure that the assignment\n                                           of sensitive functions and\n                                           high-risk combinations of\n                                           functions to non-\n                                           supervisory users is based\n          Excessive sensitive\n                                           on a documented business\nCBP-IT-   functions and high-risk\n                                           need and approved by a                      X                X\n 05-18    combinations have been\n                                           supervisory official.\n          assigned to ---- -- users.\n                                           Exceptions from guidance\n                                           provided by the\n                                           memorandum should be\n                                           formally approved and\n                                           documented\n                                           Delete the accounts of any\n                                           confirmed terminated\n                                           employees, and disable\nCBP-IT-   Separated employees with\n                                           user accounts of separated         X                         X\n 05-19    active ------ accounts.\n                                           employees and contractors\n                                           as stated in CBP and\n                                           Federal guidance.\n\n\n\n\n               Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                         23\n\x0c                                                                                                          Appendix B\n\n                                           Department of Homeland Security\n                                       Information Technology Management Letter\n                                                  September 30, 2005\n\n                                                                                                  Significant Findings\n                                                                                                  Contributing to the\n                                                                                New     Repeat       Overall DHS\nNFR #               Condition                    Recommendation\n                                                                                Issue    Issue   Material Weakness for\n                                                                                                   Financial System\n                                                                                                        Security\n          Access to the --------- ---\n                                            Recertify users with access\n          -- -- --- -- ------ ---- --- --\nCBP-IT-                                     -- ------- - - --- -----------and\n          --- ----- --------- -related                                                    X               X\n 05-28                                      document the evidence of\n          dataset and-- - -- ---- -- ---\n                                            the recertification.\n          ---- is excessive.\n                                            Recertify users with access\n          The number of users with          to Top Secret Audit,\nCBP-IT-   access to Top Secret Audit,       Recovery, and Backup\n                                                                                          X               X\n 05-30    Recovery, and Backup              datasets and document\n          datasets is excessive.            evidence of the\n                                            recertification.\n\n\n        Remaining IT NFRs Which Contributed to the Overall DHS Material Weakness for\n                                Financial System Security\n\n\n                                                                                                  Remaining Findings\n                                                                                                  Contributing to the\n                                                                                New     Repeat       Overall DHS\nNFR #               Condition                    Recommendation\n                                                                                Issue    Issue   Material Weakness for\n                                                                                                   Financial System\n                                                                                                       Security\n                                            Coordinate with each\n                                            affected field office to\n                                            either remove conflicting\n                                            roles or sign a waiver to\n          Numerous-- -- -- user IDs\nCBP-IT-                                     accept responsibility for\n          were identified as having                                                       X               X\n 05-01                                      associated risks and\n          segregation of duties issues.\n                                            continue to prevent new\n                                            IDs with segregation of\n                                            duties conflict from being\n                                            created.\n          After the re-organization of\n          the Office of Information\n                                            Ensure that security\n          Technology (OIT), security\nCBP-IT-                                     administration functions\n          administration functions at\n05-03                                       remain independent of                X                        X\n          the------- are not\n                                            operations functions.\n          independent of the\n          operations function.\n\n\n\n\n               Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                           24\n\x0c                                                                                                            Appendix B\n\n                                            Department of Homeland Security\n                                        Information Technology Management Letter\n                                                   September 30, 2005\n\n                                                                                                    Remaining Findings\n                                                                                                    Contributing to the\n                                                                                  New     Repeat       Overall DHS\nNFR #               Condition                       Recommendation\n                                                                                  Issue    Issue   Material Weakness for\n                                                                                                     Financial System\n                                                                                                         Security\n                                               Develop a process to\n                                               ensure supervisory review\n                                               of ---- - overrides and\n                                               ensure that the new\n          Certain controls can be              --- - -- - --- ---- ------------\nCBP-IT-\n          overridden in ---- -- without        --- -- -- --- --- - ---- - -                 X               X\n 05-04\n          supervisory approval.                system has the appropriate\n                                               requirements for these\n                                               controls and that the\n                                               controls are applied prior to\n                                               implementation.\n                                               Formally establish a\n                                               process for granting --- --\n          CBP management has not               access to sensitive\n          developed formal                     technical team roles that\nCBP-IT-   procedures for granting              include procedures for\n05-05     access to sensitive------            documenting authorization                    X               X\n          Technical Team member                requests, identifying roles\n          roles.                               to be granted, and\n                                               recertification of user roles\n                                               within ----- .\n          The -------- --------- ---- --\n                                               Update--- --------- - COOP\n          ----------- continuity of\n                                               with the most recent FY\n          operations plan (COOP) is\n                                               2004 test results and re-\n          not updated to reflect the\n                                               evaluate the COOP for\nCBP-IT-   results of FY 2004 testing,\n                                               overall contingency\n05-06     and the upgrade of their                                                 X                        X\n                                               planning procedures on an\n          financial system from--------\n                                               annual basis and in the\n          -- -- --- -- ------ - --------- --\n                                               event of a major system\n          --- ----- ------- - - mainframe\n                                               change or upgrade.\n          to ------\n          CBP management has not\n          consistently applied the             Consistently apply the\nCBP-IT-   requirement for initial              requirements for initial and\n05-08     security awareness training          refresher security                  X                        X\n          for CBP employees and                awareness training,\n          contractors.\n                                               Continue to review the\n          ------ security audit log\nCBP-IT-                                        audit logs daily, maintain\n          reviews not evidenced for\n05-10                                          documented evidence, and            X                        X\n          the majority of FY 2005.\n                                               train backup personnel.\n\n\n\n\n                Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                              25\n\x0c                                                                                                            Appendix B\n\n                                             Department of Homeland Security\n                                         Information Technology Management Letter\n                                                    September 30, 2005\n\n                                                                                                    Remaining Findings\n                                                                                                    Contributing to the\n                                                                                  New     Repeat       Overall DHS\nNFR #               Condition                       Recommendation\n                                                                                  Issue    Issue   Material Weakness for\n                                                                                                     Financial System\n                                                                                                         Security\n                                               Complete efforts to identify\n          CBP ----- Administrator               - ------ - - --- -- -- -- --\n          staff have not documented            connections that are\nCBP-IT-   Interconnection Security             considered \xe2\x80\x9clegacy\xe2\x80\x9d\n05-11     Agreements (ISA) for all             connections as well as                       X               X\n          entities that connect with           connections with ----- and\n          ------                               formally establish ISAs\n                                               with these entities.\n                                               Formally update the\n                                               alternate processing site\n          CBP alternate processing\n                                               agreement to accurately\n          site agreement not\nCBP-IT-                                        reflect the current hardware\n          finalized. Priority of\n05-12                                          and support that will be            X                        X\n          service provision not in\n                                               required of the alternate\n          place.\n                                               processing site vendor in\n                                               the event of an emergency.\n                                               Formalize the process to\n          No formal process to                 confirm or enforce\n          confirm or enforce                   compliance with the ---- --\nCBP-IT-\n          compliance with the ---- --          recertification process at\n05-13                                                                              X                        X\n          ----------------- ----------------   the field sites and\n          ----- -------                        document all\n                                               recertifications.\n                                               Develop a process to\n                                               identify the workstations\n                                               that have yet to install the\n          The incident handling and            ---- - ----- -- , continue to\n          response capability needs            test and implement a\nCBP-IT-   improvement regarding                standard real-time\n05-16     incident detection and               automated reporting                          X               X\n          initiation, response,                process, and develop a\n          recovery, and reporting.             consistent process to\n                                               respond to system flaw\n                                               notifications and track\n                                               reported security incidents.\n                                               Formally document test\n          CBP does not document\n                                               plans, test cases, and test\n          changes to the ----- system\nCBP-IT-                                        results for all - -- -- changes,\n          including test plans, test\n05-20                                          and business and customer           X                        X\n          cases, impact analysis, and\n                                               impact analysis for ------\n          test results.\n                                               changes requests.\n\n\n\n\n                Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                              26\n\x0c                                                                                                     Appendix B\n\n                                           Department of Homeland Security\n                                       Information Technology Management Letter\n                                                  September 30, 2005\n\n                                                                                             Remaining Findings\n                                                                                             Contributing to the\n                                                                           New     Repeat       Overall DHS\nNFR #               Condition                  Recommendation\n                                                                           Issue    Issue   Material Weakness for\n                                                                                              Financial System\n                                                                                                  Security\n                                           Perform a formally\n                                           documented assessment of\n          CBP management has not           the tables that should be\nCBP-IT-\n          activated logging for            logged by ------ and\n05-21                                                                       X                           X\n          critical tables within ----- .   complete the\n                                           implementation of table\n                                           logging within ------\n          CBP management has not\n          completed a Certification\n                                           Complete a security control\n          and Accreditation package\n                                           assessment for all -------\nCBP-IT-   for all components of the\n                                           LAN components and a\n05-22     ------ LAN, including no                                          X                           X\n                                           risk assessment for all\n          security control assessment\n                                           ------ LAN components.\n          and no formal risk\n          assessment conducted.\n                                           Consider reviewing the\n                                           sensitivity of applications\n                                           and based upon results,\n                                           perform separate C&As\n                                           where appropriate.\n          Lack of evaluation of the        Consider establishing a\n          need for a separate C&As         relationship of identified\n          for applications included in     risks to defined security\nCBP-IT-\n          the Administrative               requirements in ------\n05-23                                                                                X                  X\n          Applications C&A, and the        incorporate a risk-based\n          improvements needed in           approach for any re-\n          risk assessment guidance.        certification efforts\n                                           performed, and consider\n                                           development of definitive\n                                           guidance for risk\n                                           assessment and security\n                                           plan criteria\n                                           Develop a formal\n                                           centralized process for\n                                           tracking the termination of\n          CBP does not maintain a          contract personnel,\nCBP-IT-   centralized listing of           immediately deactivating\n05-24     separated contract               systems access of                X                           X\n          personnel.                       terminated contractors, and\n                                           periodically assessment of\n                                           contractor access to CBP\n                                           systems.\n                                           Change the setting ------- --\n          ----- idle session lock          ----------- - ------ to\nCBP-IT-\n          inconsistent with CBP            disconnect idle sessions\n05-25                                                                       X                           X\n          policy.                          after 20 minutes of\n                                           inactivity.\n               Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                        27\n\x0c                                                                                                          Appendix B\n\n                                           Department of Homeland Security\n                                       Information Technology Management Letter\n                                                  September 30, 2005\n\n                                                                                                  Remaining Findings\n                                                                                                  Contributing to the\n                                                                                New     Repeat       Overall DHS\nNFR #               Condition                   Recommendation\n                                                                                Issue    Issue   Material Weakness for\n                                                                                                   Financial System\n                                                                                                       Security\n                                           Continue to review and\n                                           deactivate inactive\n          No procedures to detect and      accounts on a monthly\nCBP-IT-\n          deactivate inactive -----        basis and implement an\n05-26                                                                            X                        X\n          users.                           automated mechanism to\n                                           detect and deactivate\n                                           inactive accounts\n          Virtual Private Network          Continue to use the official\n          (VPN) access                     authorization form for new\nCBP-IT-   authorizations not               VPN users and formally\n05-27     documented and VPN               recertify all VPN employee            X                        X\n          accounts are not                 accounts on a periodic\n          periodically recertified.        basis and document results.\n                                           Document that access to\n          CBP management did not           the --- -- - - - ------- --- - ---\n          provide information as to         - -- -- (or equivalent) are\nCBP-IT-\n          whether --- -- ---- ------- --   properly segregated and\n05-29                                                                                     X               X\n          ---- - - - -- -- are             perform a review of current\n          appropriately segregated.        granted accesses for\n                                           appropriateness.\n                                           Develop a formal process\n          Weaknesses in the C&A            to ensure that all non-\nCBP-IT-   process at field sites           recommend field sites\n05-31     including several missing        submit a NIST 800-26                           X               X\n          site assessments.                LAN self-assessment in a\n                                           timely manner.\n\n\n\n\n               Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                           28\n\x0c                                                                                      Appendix B\n\n                        Department of Homeland Security\n                    Information Technology Management Letter\n                               September 30, 2005\n\n\n\n\n           Department of Homeland Security\n            FY2005 Information Technology\nNotification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n                         United States Coast Guard\n\n\n\n\n Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      29\n\x0c                                                                                                    Appendix B\n\n                                           Department of Homeland Security\n                                       Information Technology Management Letter\n                                                  September 30, 2005\n\n                                      Department of Homeland Security\n                                       FY2005 Information Technology\n                           Notification of Findings and Recommendations - Detail\n                                          United States Coast Guard\n\n        Significant IT NFRs Which Contributed to the Overall DHS Material Weakness for\n                                  Financial System Security\n\n                                                                                           Significant Findings\n                                                                                           Contributing to the\n                                                                         New     Repeat       Overall DHS\nNFR #              Condition                   Recommendation\n                                                                         Issue    Issue   Material Weakness for\n                                                                                            Financial System\n                                                                                                 Security\n                                          Complete the BRP as\n                                          planned, store a finalized\n          The ----- ----------------\n                                          copy off-site, train\nCG-IT-    ---- -- - ----- - has not\n                                          personnel in their assigned              X                    X\n05-001    completed a Business\n                                          roles and responsibilities,\n          Recovery Plan (BRP).\n                                          test the BRP and document\n                                          lessons learned.\n                                          Establish a testing detail\n                                          baseline that defines the\n                                          standard components that a\n          ----- has not completed a       developer should document\n          testing baseline and users      in Profession Version\nCG-IT-\n          were able to change their       Control Software (PVCS)                  X                    X\n05-002\n          privileges to gain access to    Tracker, and enforce the\n          production.                     procedure to implement\n                                          testing as a component of\n                                          change implementation.\n\n          Access control weaknesses\n          exist in the------              Document and implement\n          ------ ----- ----- - - - ----   RACF account\n          ----------- - - -- ----------   management policies and\nCG-IT-    ------- - - including user      procedures, perform\n                                                                                   X                    X\n05-003    account creation and            periodic reviews of ---- ---\n          termination procedures are      accounts, and routinely\n          not documented, and a           monitor audit logs for\n          recertification of accounts     unusual activity.\n          does not take place.\n\n\n\n\n               Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                         30\n\x0c                                                                                                           Appendix B\n\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2005\n\n                                                                                                    Significant Findings\n                                                                                                    Contributing to the\n                                                                                  New     Repeat       Overall DHS\nNFR #               Condition                         Recommendation\n                                                                                  Issue    Issue   Material Weakness for\n                                                                                                     Financial System\n                                                                                                          Security\n         Coast Guard has not                      Complete the restoration of\n         completed the process of                 background investigation\n         filing the personal records              records not included during\n         that were recovered and                  the migration of records\n         recreating the records that              from the Department of\n         were not found during the                Transportation to DHS.\nCG-IT-   migration of records from                Work with DHS to finalize\n                                                                                            X               X\n05-006   the Department of                        policy for conducting\n         Transportation to DHS.                   contractor background\n         Comprehensive policies                   investigations and\n         for conducting background                document Coast Guard-\n         investigations for                       specific procedures\n         contractors have not been                compliant with new DHS\n         finalized.                               requirements.\n         The --------------- system               Replace ----------with the\n         does not require strong                  Coast Guard Direct Access\nCG-IT-\n         passwords and WANG is                    HRMS 8.9 upgrade, which                   X               X\n05-008\n         still being operated                     will address vendor support\n         without vendor support.                  and password strength.\n         Service continuity\n         weaknesses for the\n         -- --------- - -- - ---- ----- - --- ,   Periodically reassess and,\n         ----- , and ----- , including            as appropriate, revise the\n         outdated Business                        -------- -- BCCP, develop\n         Continuity Contingency                   disaster recovery\nCG-IT-\n         Plan (BCCP), lack of                     procedures for ---- - and                 X               X\n05-009\n         disaster recovery                        ----- , complete the\n         procedure details, an off-               relocation of the off-site\n         site storage location in                 storage location, and\n         close proximity to the data              periodically test the BCCP.\n         center, and lack of BCCP\n         testing exist.\n         -------- -- Unix change\n         control process supporting\n                                                  Develop and enforce\n         ----- and --- -- have\n                                                  configuration management\n         weaknesses including:\n                                                  procedures for developing\n         procedures in support of\n                                                  test plans, documenting test\n         the finalized CM policy\nCG-IT-                                            results, implementing\n         are not developed,                                                                 X               X\n05-010                                            software, management\n         documentation supporting\n                                                  approval of system\n         risk assessments is not\n                                                  changes, and retention of all\n         maintained, formal change\n                                                  risk assessments and testing\n         requests are not used, and\n                                                  documentation.\n         test plans and test results\n         are not documented.\n\n\n\n                Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                                31\n\x0c                                                                                                           Appendix B\n\n                                             Department of Homeland Security\n                                         Information Technology Management Letter\n                                                    September 30, 2005\n\n                                                                                                    Significant Findings\n                                                                                                    Contributing to the\n                                                                                  New     Repeat       Overall DHS\nNFR #              Condition                       Recommendation\n                                                                                  Issue    Issue   Material Weakness for\n                                                                                                     Financial System\n                                                                                                          Security\n         ------ - -- does not have\n                                              Develop formal entity wide\n         documented procedures\n                                              procedures for granting,\n         for controlling the\n                                              monitoring, and terminating\nCG IT    processes associated with\n                                              ----- user accounts and the                   X               X\n05-011   the granting, monitoring,\n                                              periodic revalidation of\n         and termination of user\n                                              ----- user profiles by local\n         accounts within FPD have\n                                              security administrators.\n         not been documented.\n         -------- -- has not\n         developed documented\n         policies and procedures to           Develop policies and\n         restrict access to the UNIX          procedures for restricting\n         operating system and for             and monitoring access to\nCG-IT-   monitoring access, and               the UNIX operating system\n                                                                                            X               X\n05-012   periodic reviews are not             for ---- - and - - -- and\n         performed to determine if            perform periodic reviews to\n         monitoring of the UNIX               ensure the effectiveness of\n         operating system for---- -           the monitoring process.\n         and ----- is functioning as\n         intended.\n         ------------- Certification\n         and Accreditations (C&A)\n                                              Update and complete the\n         for - - -- ----- -- --- -- --- ---\n                                              C&A process for -----\n         were not complete.\nCG-IT-                                        -------- - -- -------- to include\n         Specifically, security                                                             X               X\n05-013                                        the completion of ST&Es\n         testing and evaluations\n                                              and the update of security\n         (ST&E) were incomplete\n                                              plans.\n         and security plans had not\n         been updated.\n         -------- -- has not\n         implemented formal                   Develop procedures for the\n         procedures for the periodic          regular and periodic\n         management review and                monitoring of high-level\nCG-IT-\n         monitoring activities of             ---- - database administrator        X                        X\n05-015\n         ---- - database                      and system administrator\n         administrators and system            activities, and the Oracle\n         administrators, or the               SYS account.\n         Oracle SYS accounts.\n\n\n\n\n               Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                               32\n\x0c                                                                                                        Appendix B\n\n                                           Department of Homeland Security\n                                       Information Technology Management Letter\n                                                  September 30, 2005\n\n                                                                                                 Significant Findings\n                                                                                                 Contributing to the\n                                                                               New     Repeat       Overall DHS\nNFR #             Condition                      Recommendation\n                                                                               Issue    Issue   Material Weakness for\n                                                                                                  Financial System\n                                                                                                       Security\n                                            Implement the individual\n                                            fixes noted in the NFR for\n         AppDetective identified            vulnerabilities identified\n         vulnerabilities on the -----       and institute a formal\nCG-IT-   database including weak            process for performing\n                                                                                         X               X\n05-016   passwords, excessive               periodic scans of the\n         access permissions and             ------ - -- network\n         missing patches.                   environment, including the\n                                            financial processing\n                                            environment.\n                                            Implement the individual\n                                            fixes noted in the NFR for\n                                            vulnerabilities identified\n         The Enterprise Security\n                                            and institute a formal\n         Management (ESM) tool\nCG-IT-                                      process for performing\n         identified configuration                                                        X               X\n05-017                                      periodic scans of the\n         and account management\n                                            ------ - -- network\n         weaknesses on --- --\n                                            environment, including the\n                                            financial processing\n                                            environment.\n                                            ------ - -- management\n         Internet Security Systems\n                                            implemented immediate\nCG-IT-   Internet Scanner identified\n                                            corrective action by                X                        X\n05-018   three hosts that were\n                                            removing the BrightStor\n         missing patches.\n                                            agent from the three hosts.\n                                            Implement a system change\n                                            request to automatically\n         Undelivered Orders \xe2\x80\x93               reestablish funds as\n         Transaction Codes: A               obligated ------- -------------\n         report allowing users to           ----- ---- -- - - ----- - -- are\nCG-IT-\n         review and manually re-            used, provide training to                    X               X\n05-021\n         establish obligations was          users, and require users to\n         not implemented as well as         conduct reviews to\n         the manual review process.         determine when re-\n                                            obligation to the associated\n                                            UDO balances are required.\n         Disaster recovery plans for\n         the Operations Service\n                                            Complete disaster recovery\n         Center (OSC) Gold\n                                            planning for the-----------\n         Business Systems, which\nCG-IT-                                      ------- - Gold Business\n         include the ----------- ------                                                  X               X\n05-022                                      Systems and periodically\n         -------- ------ ) and --- ---\n                                            test disaster recovery and\n         ---- -- --- - ----- ------\n                                            contingency plans.\n         --------- --------- ------------\n         have not been completed.\n\n\n\n               Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                            33\n\x0c                                                                                                   Appendix B\n\n                                         Department of Homeland Security\n                                     Information Technology Management Letter\n                                                September 30, 2005\n\n                                                                                          Significant Findings\n                                                                                          Contributing to the\n                                                                       New     Repeat        Overall DHS\nNFR #             Condition                  Recommendation\n                                                                       Issue    Issue    Material Weakness for\n                                                                                           Financial System\n                                                                                                Security\n         ----- has not completed a       Fully implement planned\n         security plan for CMPlus        corrective actions to\nCG-IT-\n         5.                              complete the security plan              X                     X\n05-023\n                                         for CMPlus during the\n                                         system\xe2\x80\x99s C&A process.\n         ESM identified high and\n         medium level\n                                         Implement the individual\n         vulnerabilities on the\n                                         fixes noted in the NFR for\n         ------- -- production\n                                         vulnerabilities identified\nCG-IT-   database over account\n                                         and institute a formal                  X                     X\n05-024   management,\n                                         process for performing\n         configuration\n                                         periodic scans of the -----\n         management, password\n                                         network environment.\n         management, and patch\n         management.\n         AppDetective found\n         vulnerabilities on the          Implement the individual\n         ------- - production            fixes noted in the NFR for\n         database over audit             vulnerabilities identified\nCG-IT-\n         management,                     and institute a formal                  X                     X\n05-025\n         configuration                   process for performing\n         management, password            periodic scans of the -----\n         management, and patch           network environment.\n         management.\n                                         Complete planned\n                                         corrective actions for the\n         ------ has initiated required   redesign of CMPlus/FLS\n         changes on the application      data interfaces to include\n         code on the server side.        functionality to\nCG-IT-\n         However the required            communicate data interface              X                     X\n05-026\n         update to the user              errors back to the CMPlus\n         workstations has not been       unit/user by deploying the\n         completed.                      patch to implement the\n                                         required fix to users on\n                                         client workstations.\n\n\n\n\n              Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                       34\n\x0c                                                                                                     Appendix B\n\n                                         Department of Homeland Security\n                                     Information Technology Management Letter\n                                                September 30, 2005\n\n                                                                                            Significant Findings\n                                                                                            Contributing to the\n                                                                         New     Repeat        Overall DHS\nNFR #              Condition                   Recommendation\n                                                                         Issue    Issue    Material Weakness for\n                                                                                             Financial System\n                                                                                                  Security\n                                           Implement and enforce\n                                           procedures for obtaining\n                                           system security information\n           Implementation and\n                                           from ISSOs. Coast Guard\n           management oversight of\n                                           management should ensure\n           Coast Guard\xe2\x80\x99s information\n                                           the implementation of\n           security program remains\n                                           corrective actions to\n           fragmented including\n                                           improve system security\n           communication and\nCG IT-                                     policies and procedures\n           enforcement of procedures                                               X                     X\n05-027                                     regarding the C&A process,\n           for security information\n                                           patch management, account\n           with the ISSOs, enforce\n                                           management, monitoring of\n           strong passwords and keep\n                                           system software, and\n           system security policies\n                                           contingency planning.\n           and procedures and C&A\n                                           Also, implement a\n           packages.\n                                           background investigation\n                                           process for CG contractors\n                                           and hire needed personnel.\n\n\n         Remaining IT NFRs Which Contributed to the Overall DHS Material Weakness for\n                                 Financial System Security\n\n                                                                                            Remaining Findings\n                                                                                            Contributing to the\n                                                                         New     Repeat        Overall DHS\nNFR #               Condition                   Recommendation\n                                                                         Issue    Issue    Material Weakness for\n                                                                                             Financial System\n                                                                                                 Security\n           User account maintenance        Document and implement\n           procedures for ----- civilian   account maintenance\n           personnel were not              policies and procedures\nCG-IT-     documented and access lists     policies, perform periodic\n05-004     were not reviewed               account reviews, and                    X                     X\n           periodically and audit trails   regularly monitor Direct\n           are not reviewed on a           Access audit trails.\n           regular basis.\n           The------ General Support       Complete the C&A\nCG-IT-     System (GSS) Certification      package for the GSS in\n05-005     and Accreditation (C&A)         compliance with DHS and                 X                     X\n           not completed.                  Federal guidance.\n\n\n\n\n                Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                        35\n\x0c                                                                                                   Appendix B\n\n                                        Department of Homeland Security\n                                    Information Technology Management Letter\n                                               September 30, 2005\n\n                                                                                          Remaining Findings\n                                                                                          Contributing to the\n                                                                       New     Repeat        Overall DHS\nNFR #             Condition                 Recommendation\n                                                                       Issue    Issue    Material Weakness for\n                                                                                           Financial System\n                                                                                               Security\n                                        Retain, as evidence,\n         Results of reviews over\n                                        documentation of regular\n         ------ user access were not\n                                        reviews performed of the\nCG-IT-   available and\n                                        Windows 2000 CG ------\n05-014   documentation of periodic                                               X                     X\n                                        directory to ensure that the\n         reviews was not on file at\n                                        list of users and\n         -------- --\n                                        permissions is accurate.\n                                        Develop and implement\n         Formal procedures              formal data center access\n         regarding access to the        procedures and a\nCG-IT-\n         ------ - -- data center have   formalized method to track\n05-019                                                                  X                              X\n         not been established and       information system-related\n         implemented.                   items entering and exiting\n                                        the facility.\n\n\n\n\n              Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                     36\n\x0c                                                                                      Appendix B\n\n                        Department of Homeland Security\n                    Information Technology Management Letter\n                               September 30, 2005\n\n\n\n           Department of Homeland Security\n            FY2005 Information Technology\nNotification of Findings and Recommendations - Detail\n\n\n             Federal Emergency Management Agency\n\n\n\n\n Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      37\n\x0c                                                                                                          Appendix B\n\n                                         Department of Homeland Security\n                                     Information Technology Management Letter\n                                                September 30, 2005\n\n                                     Department of Homeland Security\n                                      FY2005 Information Technology\n                          Notification of Findings and Recommendations - Detail\n\n                             Federal Emergency Management Agency (FEMA)\n\n         Significant IT NFRs Which Contributed to the Overall DHS Material Weakness for\n                                   Financial System Security\n\n                                                                                                  Significant Findings\n                                                                                                   Contributing to the\n                                                                                 New     Repeat       Overall DHS\nNFR #              Condition                    Recommendation\n                                                                                 Issue    Issue    Material Weakness\n                                                                                                  for Financial System\n                                                                                                        Security\n                                         Complete the C&A\n          Three systems do not have      accreditation packages for\n          a Certification and            FEMA.gov and----- -\n          Accreditation (C&A).           adequately document the\n          Also, the ----- -- security    results of the--------- ST&E,\n EPR-     test and evaluation (ST&E)     complete documentation for\nIT-05-    did not provide adequate       the ST&Es performed on                            X               X\n  05      documentation of results,      ------------- -- ------- ------- ----\n          and six systems with           ------ -- and -- - - ---- -- -- and\n          completed C&As did not         re-perform the C&A process\n          include ST&E                   for ------ -- due to the major\n          documentation.                 changes the system has\n                                         undergone.\n          The ----- -- Contingency\n                                         Perform a full test of the\n          Plan needs to adequately\n                                         -- --- - Contingency Plan\n          test the IT components of\n                                         when the ----- ----- ------------\n          the system/process and the\n                                         --- -- -- is prepared to be the\n EPR-     ------ -- Contingency Plan\n                                         functional alternate site for\nIT-05-    needs to be completed to                                                         X               X\n                                         Mt. Weather and update the\n  08      take into account the new\n                                         ------ -- Contingency Plan\n          Linux Operating system\n                                         once the ------ --- migration is\n          and Small Business\n                                         complete. Conduct annual\n          Administration web\n                                         contingency plan testing.\n          interface.\n                                         Update the FEMA continuity\n          FEMA has not prioritized\n                                         of operations plan to\n          its critical data and\n                                         incorporate clearly the order\n          operations, emergency\n                                         of the 12 critical IT systems\n EPR-     processing priorities and\n                                         that would be brought back\nIT-05-    procedures have not been                                                         X               X\n                                         online at the -------- -------\n  09      documented, and all\n                                         -------------- alternate\n          resources supporting\n                                         processing site in the event of\n          critical operations have not\n                                         a disaster associated with ----\n          been identified.\n                                         --------- -\n\n\n\n                Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                          38\n\x0c                                                                                                      Appendix B\n\n                                          Department of Homeland Security\n                                      Information Technology Management Letter\n                                                 September 30, 2005\n\n                                                                                              Significant Findings\n                                                                                               Contributing to the\n                                                                             New     Repeat       Overall DHS\nNFR #             Condition                     Recommendation\n                                                                             Issue    Issue    Material Weakness\n                                                                                              for Financial System\n                                                                                                    Security\n         ESM identified high and\n         medium level\n                                          Implement the individual fixes\n         vulnerabilities on -----\n                                          listed in the NFR for the\n EPR-    -- ----- --- that supports the\n                                          vulnerabilities identified and\nIT-05-   -------- application                                                          X                X\n                                          undertake an annual\n  10     including: account\n                                          vulnerability assessment as\n         management, configuration\n                                          prescribed in DHS guidance.\n         management and patch\n         management.\n                                          Implement the DHS password\n                                          policy on all databases and\n EPR-    Two Oracle databases were        consider the implementation\nIT-05-   identified with weak/default     of an automated password                     X                X\n  11     passwords.                       checking tool to help ensure\n                                          that a strong password policy\n                                          has been implemented\n         Internet Scanner identified      Implement the individual fixes\n         high risk vulnerabilities on     listed in the NFR for the\n EPR-\n         6 hosts in the following         vulnerabilities identified and\nIT-05-                                                                                 X                X\n         areas: configuration             undertake an annual\n  12\n         management, and password         vulnerability assessment as\n         management.                      prescribed in DHS guidance.\n         AppDetective identified\n         high risk vulnerabilities in     Implement the individual fixes\n         the following areas on the       listed in the NFR for the\n EPR-\n         -------- database: account       vulnerabilities identified and\nIT-05-                                                                        X                         X\n         management, configuration        undertake an annual\n  13\n         management, password             vulnerability assessment as\n         management, and patch            prescribed in DHS guidance.\n         management.\n                                          Develop and implement a\n                                          solution to limit excessive\n                                          access to the -------- account\n                                          mapping function, reevaluate\n EPR-    Access to the Account            and limit access rights to those\nIT-05-   Mapping Tables in ----- --       with a business need to access      X                         X\n  14     is excessive.                    the -- -- -- account mapping\n                                          functions, and routinely\n                                          monitor the account mapping\n                                          functions and related changes\n                                          made.\n\n\n\n\n               Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                        39\n\x0c                                                                                                                Appendix B\n\n                                             Department of Homeland Security\n                                         Information Technology Management Letter\n                                                    September 30, 2005\n\n        Remaining IT NFRs Which Contributed to the Overall DHS Material Weakness for\n                                Financial System Security\n\n                                                                                                        Remaining Findings\n                                                                                                        Contributing to the\n                                                                                      New     Repeat       Overall DHS\nNFR #               Condition                        Recommendation\n                                                                                      Issue    Issue   Material Weakness for\n                                                                                                         Financial System\n                                                                                                             Security\n          Policies and procedures do\n          not exist to perform\n                                                Develop and implement\n          periodic review of\nEPR-IT-                                         procedures regarding\n          --- - ---- -- --- -- --- -\n05-01                                           periodic review of access                       X               X\n          -- - --------- -- - - -- --- -- ---\n                                                lists.\n          ------ -- ---------- user access\n          lists.\n          ---- ----- ---- ---------\n          -- - --------- -- - - -- --- -- ---\n          ------ -- ------------ access         Disable users\xe2\x80\x99 ability to\n          controls suspend a user\xe2\x80\x99s             change the inactivity\n          session after fifteen minutes         threshold or disable the\n          of inactivity. However, the           password protected\nEPR-IT-\n          option is not deactivated so          screensaver and ensure that\n05-02                                                                                           X               X\n          users have the ability to             -- - --- - users are locked\n          deactivate the screensaver.           out of the system after\n          Furthermore, users are not            three invalid logon\n          locked out after three                attempts.\n          unsuccessful logon\n          attempts.\n                                                Transfer all critical\n                                                equipment out of the room\n                                                in --- --- - ------ to an\n                                                alternate secure site with\n                                                capabilities to house IT\n          The ----------- ---------\n                                                equipment on raised floors\n          ---- ---- had multiple\n                                                and upon implementation\nEPR-IT-   weaknesses including lack\n                                                of the --- --- - --------------\n05-03     of raised floors, and IFMIS                                                           X               X\n                                                ---------- \xe2\x80\x9creal-time\xe2\x80\x9d back-\n          production and test servers\n                                                up facility, create\n          in close proximity.\n                                                redundant servers at the\n                                                ----- ----- ----- ---- - -- - -- --\n                                                for the two -- -- -- servers\n                                                located at the ------- ------ -\n                                                ---- --------- ---- ------- - -- --\n\n\n\n\n                Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                                 40\n\x0c                                                                                                    Appendix B\n\n                                       Department of Homeland Security\n                                   Information Technology Management Letter\n                                              September 30, 2005\n\n                                                                                           Remaining Findings\n                                                                                           Contributing to the\n                                                                         New     Repeat       Overall DHS\nNFR #             Condition                  Recommendation\n                                                                         Issue    Issue   Material Weakness for\n                                                                                            Financial System\n                                                                                                Security\n                                         Ensure that FEMA\n                                         Instruction 1540.3 is\n          The employee termination\n                                         finalized, signed by the\n          process for removing\n                                         Under Secretary,\n          system access policies or\n                                         promulgated to all EP&R\n          processes for ensuring that\n                                         employees, and enforced\nEPR-IT-   all general support system\n                                         and per the instruction\n05-04     and application access,                                                  X                    X\n                                         perform a review of\n          including -- - -- -- , is\n                                         authorized accounts on a\n          removed in a timely manner\n                                         semi-annual basis and\n          for the separated employees\n                                         remove terminated\n          is in draft form.\n                                         employees\xe2\x80\x99 access to all\n                                         systems.\n                                         Complete the\n          Password protected\n                                         implementation of ------ --\n          screensaver properties are\n                                         ----------- and disable the\nEPR-IT-   not disabled. Therefore, the\n                                         user\xe2\x80\x99s ability to change the\n05-06     current method of                                                        X                    X\n                                         inactivity threshold or\n          distributing of -- --- --\n                                         disable the password\n          passwords is not sufficient.\n                                         protected screensaver.\n                                         Enhance system\n                                         documentation supporting\n          Insufficient documentation     the description of the\n          exists to fully explain        -------- user functions, with\nEPR-IT-   ----- -- functions and user    their associated system\n05-07     access capabilities            capabilities and develop                  X                    X\n          associated with those          and implement procedures\n          functions.                     to update the\n                                         documentation as functions\n                                         are added or modified.\n\n\n\n\n               Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                      41\n\x0c                                                                                      Appendix B\n\n                        Department of Homeland Security\n                    Information Technology Management Letter\n                               September 30, 2005\n\n\n\n\n           Department of Homeland Security\n            FY2005 Information Technology\nNotification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n                                    Consolidated\n\n\n\n\n Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      42\n\x0c                                                                                                      Appendix B\n\n                                            Department of Homeland Security\n                                        Information Technology Management Letter\n                                                   September 30, 2005\n\n                                      Department of Homeland Security\n                                       FY2005 Information Technology\n                           Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                                       Consolidated\n\n         Significant IT NFRs Which Contributed to the Overall DHS Material Weakness for\n                                   Financial System Security\n\n                                                                                            Significant Findings\n                                                                                            Contributing to the\n                                                                        New     Repeat         Overall DHS\nNFR #             Condition                  Recommendation\n                                                                        Issue    Issue     Material Weakness for\n                                                                                             Financial System\n                                                                                                  Security\n                                        Ensure that - ---- user\n           DHS administrators do        access is only granted upon\n           not consistently require     completion of the TIER new\nCONS-      new users to complete        user access request form and\nIT-05-     the ------ new user          evidence of supervisory          X                            X\n  02       access form before           authorization. In addition,\n           granting access to           the access request forms\n           ------ .                     should be retained for at\n                                        least one year.\n           No policies and\n           procedures are in place      Develop and implement\n           to periodically review       policies and procedures for\n           ------- user access lists    the periodic review of ------\n           to determine if access is    access lists and develop and\nCONS-\n           still needed and a           implement policies and\nIT-05-                                                                   X                            X\n           documented process has       procedures to promptly\n  03\n           not been established to      notify the -- ----\n           notify--------               administrators of the\n           administrators of            termination or transfer of\n           terminated or                personnel with access.\n           transferred personnel.\n                                        Develop and implement a\n           Informal processes are       detailed SDLC or\n           followed for making          configuration management\n           changes to ------ --------   procedures for performing\nCONS-\n           and -------- ----- does      changes over ----------\nIT-05-                                                                   X                            X\n           not have a version           -- ----- template process and\n  04\n           manager tool for             implement a version\n           template changes made        manager tool in order to\n           to the application.          maintain previous versions\n                                        of-- - -- --- --- - reports.\n\n\n\n\n                 Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                          43\n\x0c                                                                                                   Appendix B\n\n                                        Department of Homeland Security\n                                    Information Technology Management Letter\n                                               September 30, 2005\n\n                                                                                         Significant Findings\n                                                                                         Contributing to the\n                                                                   New       Repeat         Overall DHS\nNFR #          Condition                 Recommendation\n                                                                   Issue      Issue     Material Weakness for\n                                                                                          Financial System\n                                                                                               Security\n         ------ configuration\n         management controls\n                                    Improve configuration\n         can be improved\n                                    management controls,\n         including lead\n                                    ensure adherence with the\n         developers that have\n                                    Department of Treasury\n         access to production,\n                                    SCM and ASSC SDLC\n         segregation of duties\nCONS-                               Workflow and Processes\n         issues exist for system\nIT-05-                              Handbook throughout DHS         X                              X\n         changes made outside\n  05                                as they relate to opening an\n         of the schedule ------\n                                    SCR, and maintain test\n         quarterly releases, all\n                                    documentation for changes\n         system change requests\n                                    implemented outside of the\n         (SCR) are not\n                                    scheduled - -- -- quarterly\n         documented, and test\n                                    releases.\n         documentation is not\n         maintained.\n                                    Implement recommended\n         Discrepancies exist        actions in order to make the\n         between the DHS            analytic report code,\nCONS-\n         Performance and            equations, and PAR guide\nIT-05-                                                              X                              X\n         Accountability Report      consistent and develop and\n  06\n         (PAR) Guidance and         implement a configuration\n         the Analytical Report.     management process over\n                                    analytic report changes.\n         Discrepancies Exist\n                                    Implement changes to the\n         Between the United\n                                    DHS SGL normal balance\n         States Standard General\n                                    accounts for compliance\n         Ledger (USSGL) and\nCONS-                               with the USSGL and\n         the DHS Standard\nIT-05-                              develop a procedure to          X                              X\n         General Ledger (DHS\n  07                                verify the abnormal balance\n         SGL) account\n                                    report logic after any\n         classifications used to\n                                    changes in the DHS SGL or\n         populate the Abnormal\n                                    USSGL.\n         Balances Report.\n         No documented\n         procedures are in place\n         for DHS components to\n                                    Document and implement\n         perform a formal\n                                    procedures for DHS\nCONS-    review, by a separate\n                                    components to perform a\nIT-05-   approving individual, of                                   X                              X\n                                    formal review of financial\n  08     financial data before\n                                    data before moving it into\n         moving the - ---- file\n                                    the ------ Repository.\n         from the Holding Area\n         into the -------\n         Repository.\n\n\n\n              Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                     44\n\x0c                                                                                                           Appendix B\n\n                                           Department of Homeland Security\n                                       Information Technology Management Letter\n                                                  September 30, 2005\n\n                                                                                                   Significant Findings\n                                                                                                   Contributing to the\n                                                                              New       Repeat        Overall DHS\nNFR #             Condition                     Recommendation\n                                                                              Issue      Issue    Material Weakness for\n                                                                                                    Financial System\n                                                                                                         Security\n                                           The DHS Chief Information\n           Lack of compliance\n                                           Officer (CIO), in\n           with FISMA in the\n                                           coordination with the DHS\n           areas of access controls,\n                                           Office of the Chief Financial\n           entity-wide security\n                                           Officer (OCFO) and other\n           program planning and\nCONS-                                      DHS functional leaders\n           management,\nIT-05-                                     should ensure further                          X                X\n           application software\n  09                                       emphasis on the monitoring\n           development and\n                                           and enforcement of policies\n           change control, system\n                                           and procedures through the\n           software, segregation of\n                                           performance of periodic\n           duties, and service\n                                           security control assessments\n           continuity.\n                                           and audits.\n\n\n         Remaining IT NFRs Which Contributed to the Overall DHS Material Weakness for\n                                 Financial System Security\n\n                                                                                                   Remaining Findings\n                                                                                                   Contributing to the\n                                                                                New      Repeat       Overall DHS\nNFR #               Condition                      Recommendation\n                                                                                Issue     Issue   Material Weakness for\n                                                                                                    Financial System\n                                                                                                        Security\n                                               Reevaluate ------ privileges\n                                               assigned to Department of\n           Treasury personnel access\nCONS-                                          Treasury users, and restrict\n           to DHS- - ---- ----\nIT-05-                                         user account permissions to\n           -- -- --- -------------------\n01                                             only the minimum                               X             X\n           ---- - - ---- - ---------\n                                               privileges necessary to\n           continues to be excessive.\n                                               achieve the principle of\n                                               least privilege.\n\n\n\n\n                Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                            45\n\x0c                                                                                      Appendix B\n\n                        Department of Homeland Security\n                    Information Technology Management Letter\n                               September 30, 2005\n\n\n\n\n           Department of Homeland Security\n            FY2005 Information Technology\nNotification of Findings and Recommendations - Detail\n\n\n Office of State and Local Government Coordination and\n                 Preparedness (SLGCP)\n\n\n\n\n Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      46\n\x0c                                                                                                            Appendix B\n\n                                             Department of Homeland Security\n                                         Information Technology Management Letter\n                                                    September 30, 2005\n\n                                       Department of Homeland Security\n                                        FY2005 Information Technology\n                            Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                State and Local Government Coordination and Preparedness (SLGCP)\n\n          Significant IT NFRs Which Contributed to the Overall DHS Material Weakness for\n                                    Financial System Security\n\n                                                                                                    Significant Findings\n                                                                                                    Contributing to the\n                                                                                  New     Repeat       Overall DHS\nNFR #              Condition                   Recommendation\n                                                                                  Issue    Issue   Material Weakness for\n                                                                                                     Financial System\n                                                                                                          Security\n                                         Implement a Memorandum\n                                         of Understanding (MOU)\n            IT control environment of    agreement to include the\n            the Department of Justice    minimum-security related\n            Office of Justice\n                                         responsibilities and continue\nSLGCP-      Programs (OJP) needs\n2005-06     strengthening over access\n                                         to work with OJP to ensure                X                        X\n            controls, change controls,   all weaknesses that impact\n            service continuity, and      SLGCP\xe2\x80\x99s reliance on the\n            system software.             OJP IT control environment\n                                         are mitigated and corrected.\n\n                                         Continue to finalize the\n            Segregation of duties is     policies and procedures that\n            not properly enforced.       address segregation of\n            The SLGCP has not            duties for SLGCP\n            formed a separate\n                                         information systems\nSLGCP-      Information Systems\n            department and has yet to\n                                         functions and create an                            X               X\n2005-12\n            develop policies or          Information Systems\n            procedures outlining         department that is\n            segregation of duties        responsible for all security\n            controls or procedures.      and network administration\n                                         of SLGCP systems.\n                                         Improve the process for\n                                         notifying the Security\n                                         Officer or Administrator of\n                                         employee or contractor\n            Application user accounts    transfers/terminations so\nSLGCP-      are not removed in a         that system access to the\n            timely manner after user\n                                                                                            X               X\n2005-13                                  ---- - - --- - ----- -- - -- --- -----\n            separation.                  ------------ --------- ----- - - ---\n                                         -- - --------- -- - - -- --- -- ---\n                                         -------- ----------- and\n                                         -- - ---- ---s removed in a\n                                         more timely manner.\n\n\n\n                 Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                                47\n\x0c                                                                                      Appendix B\n\n                        Department of Homeland Security\n                    Information Technology Management Letter\n                               September 30, 2005\n\n\n\n\n           Department of Homeland Security\n            FY2005 Information Technology\nNotification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n              Transportation Security Administration\n\n\n\n\n Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      48\n\x0c                                                                                                       Appendix B\n\n                                             Department of Homeland Security\n                                         Information Technology Management Letter\n                                                    September 30, 2005\n\n                                       Department of Homeland Security\n                                        FY2005 Information Technology\n                            Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                        Transportation Security Administration\n\n        Significant IT NFRs Which Contributed to the Overall DHS Material Weakness for\n                                  Financial System Security\n\n                                                                                                Significant Findings\n                                                                                                Contributing to the\n                                                                              New     Repeat       Overall DHS\nNFR #               Condition                      Recommendation\n                                                                              Issue    Issue   Material Weakness for\n                                                                                                 Financial System\n                                                                                                      Security\n          -------- -- Unix change\n          control process supporting          TSA management should\n          --- -- -- - -- ------ -- --------   work with-- --- ------\n          ------ ) and -- - - ------          management to ensure the\n          -- ----- --- -- --- - -- ---        development and\n          ---- -- - have weaknesses           enforcement of\n          including: procedures in            configuration management\nTSA-IT-   support of the finalized            procedures for developing\n                                                                               X                         X\n 05-003   CM policy are not                   test plans, documenting test\n          developed, documentation            results, implementing\n          supporting a risk                   software, management\n          assessment is not                   approval of system\n          maintained, formal change           changes, and retention of\n          requests are not used, and          risk assessment and testing\n          test plans and test results         documentation.\n          are not documented.\n                                              TSA management should\n          Service continuity\n                                              work with - --- ------\n          weaknesses for -----------\n                                              management to ensure the\n          ----------- ------- including\n                                              periodic reassessment and,\n          outdated Business\n                                              as appropriate, revision of\n          Continuity Contingency\n                                              the ---------- BCCP,\nTSA-IT-   Plan (BCCP), lack of\n                                              development of disaster          X                         X\n 05-004   disaster recovery\n                                              recovery procedures for\n          procedure details, an off-\n                                              ------- - ----- -- completion\n          site storage location in\n                                              of the relocation of the off-\n          close proximity to the data\n                                              site storage location, and\n          center, and lack of BCCP\n                                              periodic testing of the\n          testing exist.\n                                              BCCP.\n\n\n\n\n                Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                             49\n\x0c                                                                                                            Appendix B\n\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2005\n\n                                                                                                     Significant Findings\n                                                                                                     Contributing to the\n                                                                                   New     Repeat       Overall DHS\nNFR #                Condition                        Recommendation\n                                                                                   Issue    Issue   Material Weakness for\n                                                                                                      Financial System\n                                                                                                           Security\n                                                 TSA management should\n                                                 work with - --- ------\n          No documented\n                                                 management to ensure the\n          procedures exist for\n                                                 development of formal\n          controlling the processes\n                                                 entity wide procedures for\nTSA-IT-   associated with the\n                                                 granting, monitoring, and          X                        X\n 05-005   granting, monitoring, and\n                                                 terminating ----- user\n          termination of user\n                                                 accounts and periodic\n          accounts within------ have\n                                                 revalidation of------ user\n          not been documented.\n                                                 profiles by local security\n                                                 administrators.\n          -------- -- has not\n                                                 TSA management should\n          developed documented\n                                                 work with - --- ------\n          policies and procedures to\n                                                 management to ensure the\n          restrict access to the UNIX\n                                                 development of policies and\n          operating system, for\n                                                 procedures for restricting\nTSA-IT    monitoring access, and\n                                                 and monitoring access to           X                        X\n05-006    periodic reviews are not\n                                                 the UNIX operating system\n          performed to determine if\n                                                 for ---- --- - --- - -- and\n          monitoring of the UNIX\n                                                 performance of period\n          operating system for---- -\n                                                 reviews of the monitoring\n          -- ------- is functioning as\n                                                 process.\n          intended.\n          Certification and\n          Accreditations (C&A) for\n                                                 TSA management should\n          the ---- -- --- -- -----------\n                                                 work with - --- ------\n          ---- -- -- ----- --- -- ---- --- - -\n                                                 management to ensure the\n          -------- - -------- were not\n                                                 update and completion of\nTSA-IT    complete. Specifically,\n                                                 the C&A process for                X                        X\n05-007    security testing and\n                                                 --- ---- ------ --- - ------ to\n          evaluations (ST&Es) were\n                                                 include the completion of\n          incomplete and security\n                                                 ST&Es, and the update of\n          plans had not been\n                                                 security plans.\n          updated.\n\n                                                 TSA management should\n          -------- -- has not\n                                                 work with-- --- ------\n          implemented formal\n                                                 management to ensure the\n          procedures for the periodic\n                                                 development of procedures\n          management review and\nTSA-IT-                                          for the regular and periodic\n          monitoring of activities of                                               X                        X\n 05-008                                          monitoring of high-level\n          ---- - database\n                                                 ---- - database administrator\n          administrators and system\n                                                 and system administrator\n          administrators or the\n                                                 activities, and the --------\n          Oracle SYS accounts.\n                                                 ----------------\n\n\n                Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                                 50\n\x0c                                                                                                    Appendix B\n\n                                          Department of Homeland Security\n                                      Information Technology Management Letter\n                                                 September 30, 2005\n\n                                                                                            Significant Findings\n                                                                                            Contributing to the\n                                                                          New     Repeat       Overall DHS\nNFR #             Condition                   Recommendation\n                                                                          Issue    Issue   Material Weakness for\n                                                                                             Financial System\n                                                                                                  Security\n                                         TSA management should\n                                         work with - --- ------\n                                         management to ensure the\n          The Enterprise Security        implementation of the\n          Management tool                individual fixes noted in the\n          identified world writeable     NFR for vulnerabilities\nTSA-IT-\n          directories without a sticky   identified and the institution    X                            X\n 05-009\n          bit set, and account           of a formal process for\n          management weaknesses          performing periodic scans\n          over DART.                     of the -- ---- - -- network\n                                         environment, including the\n                                         financial processing\n                                         environment.\n                                         TSA management should\n                                         work with - --- ------\n                                         management to ensure the\n                                         implementation of the\n          AppDetective identified\n                                         individual fixes noted in the\n          vulnerabilities on the -----\n                                         NFR for vulnerabilities\nTSA-IT-   database including weak\n                                         identified and institution of     X                            X\n 05-010   passwords, excessive\n                                         a formal process for\n          access permissions and\n                                         performing periodic scans\n          missing patches.\n                                         of the -- ---- - -- network\n                                         environment, including the\n                                         financial processing\n                                         environment.\n                                         ------ - -- management\n          Internet Security Systems\n                                         implemented immediate\nTSA-IT-   Internet Scanner identified\n                                         corrective action by              X                            X\n 05-011   three hosts that were\n                                         removing the BrightStor\n          missing patches.\n                                         agent from the three hosts.\n                                         TSA management should\n          Inaccuracies exist within      ensure that personnel errors\n          TSA personnel records          regarding separated\nTSA-IT    which addresses both           employees cited during the\n                                                                                    X                   X\n05-012    separated employee issue       prior year audit are\n          and other erroneous            corrected and\n          personnel records.             documentation of corrective\n                                         actions retained on file.\n\n\n\n\n               Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                       51\n\x0c                                                                                                      Appendix B\n\n                                               Department of Homeland Security\n                                           Information Technology Management Letter\n                                                      September 30, 2005\n\n         Remaining IT NFRs Which Contributed to the Overall DHS Material Weakness for\n                                 Financial System Security\n\n                                                                                              Remaining Findings\n                                                                                              Contributing to the\n                                                                            New     Repeat       Overall DHS\nNFR #                 Condition                    Recommendation\n                                                                            Issue    Issue   Material Weakness for\n                                                                                               Financial System\n                                                                                                   Security\n                                               TSA management should\n                                               work with - --- ------\n           Formal procedures                   management to ensure the\n           regarding access to the             development and\n           --- --- -- - - -- --- -------       implementation of formal\nTSA-IT\n           ---- ------------------ ---         data center access\n05-001                                                                       X                            X\n           ------ - have not been              procedures and a\n           established and                     formalized method to track\n           implemented.                        information system-related\n                                               items entering and exiting\n                                               the facility.\n\n\n\n\n                 Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                           52\n\x0c                                                                                        Appendix C\n\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2005\n\n\n\n\n                                      Appendix C\n\nStatus of Prior Year Notices of Findings and Recommendations\n                     And Comparison To\n   Current Year Notices of Findings and Recommendations\n\n\n\n\n     Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                           53\n\x0c                                                                                                                           Appendix C\n\n                                          Department of Homeland Security\n                                      Information Technology Management Letter\n                                                 September 30, 2005\n\n                                                                                                                        Disposition\nComponent NFR No. Description                                                                                     Closed       Repeat\n\nUSCIS      04-09    Access control weaknesses were identified in the----- -- - -- -------- and                                  05-04\n                    were not documented as part of the Certification and Accreditation\n                    (C&A) package.\nUSCIS      04-10    ------- - -- users at the Vermont Service Center have the ability to                            X\n                    adjudicate applications as well as process payments, which are\n                    considered incompatible duties.\nUSCIS      04-18    USCIS does not have procedures in place to periodically review                                  X\n                    ------ -- ----- --- - ----------- - --- ----------------- - user access lists and\n                    could not provide a list of all authorized---- -- -- users upon request.\nUSCIS      04-19    ------- - -- -- - ---- at the Vermont Service Center have ability to adjudicate                 X\n                    applications as well as process payments, which are considered\n                    incompatible duties.\nUSCIS      04-21    Interface controls to ensure that data transmitted by the lockbox                               X\n                    operation is accurately uploaded into the National Business Center\xe2\x80\x99s\n                    -- ---- - --------- --- --- ---- -- -- - --- ---- - database need improvement.\nUSCIS      04-27    The site C&A package for the California Service Center has expired.                                         05-02\n\n\n\nICE        04-17    Access control weaknesses were identified in the ---- - --- ----- - - ---                       X\n                    -- - --------- -- -- - ----- .\nICE        04-18    ICE does not have procedures in place to periodically review --------                                       05-07\n                    ------ ----- --- - ---- ------ - - - - ---- -- --- user access lists and could not\n                    provide a list of all authorized-------- users upon request.\n\n\nCBP        04-01    Nineteen individual user accounts on the ------ - --------- --------                                        05-02\n                    mainframe security software had excessive privileges assigned to them.\nCBP        04-02    Weaknesses in the C&A process for the --- -- -- - -- -----------------                                      05-23\n                    --- ----- ----- - - lack of evaluation of the need for a separate C&As for\n                    applications included in the Administrative Applications C&A, the and\n                    improvements needed in risk assessment guidance.\nCBP        04-03    Weaknesses in disaster recovery testing and continuity of critical                              X\n                    operational functions for the ----- and the --------- -- --- ---- -\n                    -- - --------- -- -- - ----- ------- - - at the alternate processing site.\nCBP        04-04    Excessive sensitive functions and high-risk combinations have been                                          05-18\n                    assigned to ACS users.\nCBP        04-05    Certain controls can be overridden in ---- -- without supervisory                                           05-04\n                    approval.\nCBP        04-06    Excessive access has been granted to ------ ------- - --------- - - --- --                      X\n                    -- --------------- ---- -- - ----- --- -- ----- -- --- -------- ---- - ---- ----- ---------\nCBP        04-07    Weaknesses in the C&A process at field sites.                                                               05-31\nCBP        04-08    Improvements are needed in system logical access controls over                                              05-09\n                    network assets affecting headquarters and the----- - --- ------ -- - -- ---\nCBP        04-09    Interconnection Security Agreements (ISA) are not documented for 92                                         05-11\n                    partners that connect with ----- .\nCBP        04-10    Access is not appropriately restricted to -- --- - vendor and bank tables.                                  05-29\n\n               Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                                54\n\x0c                                                                                                                      Appendix C\n\n                                         Department of Homeland Security\n                                     Information Technology Management Letter\n                                                September 30, 2005\n\n                                                                                                                   Disposition\nComponent NFR No. Description                                                                                Closed       Repeat\n\nCBP        04-11                                                                                               X\n                    Weaknesses with the ------ ----- ----------- Risk Assessment.\nCBP        04-12    Improvements needed in restricting access to sensitive system level                                    05-28\n                    transactions through the On-Line Transaction Processing System\n                    Security ------- -\nCBP        04-13    ----- -- ---- - - - - --- segregation of duties issues were identified with                            05-01\n                    several users.\nCBP        04-14    The incident handling and response capability needs improvement                                        05-16\n                    regarding incident detection and initiation, response, recovery, and\n                    closure.\nCBP        04-15    Audit logs are not appropriately monitored for the --- ---- - -- - ------- .               X\nCBP        04-16    Weaknesses in the access control process for the------------ ------------                              05-05\n                    Materials Management.\nCBP        04-17    System access, user account management, and configuration                                              05-09\n                    weaknesses identified with the ------ general controls environment for\n                    materials management module.\nCBP        04-18    Least privilege principles are not appropriately enforced for mainframe                                05-30\n                    user groups\xe2\x80\x99 access to sensitive datasets/utilities.\n\n\nCG         04-001   Excessive access privileges were granted to the ----- Financial                                       05-014\n                    Reporting System.\nCG         04-002                                                                                              X\n                    The ----- - - --------------- -- ------- --- ------- User Guide is outdated.\nCG         04-003   Comprehensive policies for conducting personnel suitability                                           05-006\n                    investigations or records to support the results of personnel suitability\n                    investigations do not exist.\nCG         04-004   No documented procedures exist requiring local site administrators to                                 05-011\n                    control access to------- 17 user accounts have not been appropriately\n                    removed for terminated employees, and local site administrators do not\n                    periodically revalidate user accounts.\nCG         04-005   No documented policies and procedures to restrict access to the UNIX                                  05-012\n                    operating system and for monitoring access. No periodic reviews to\n                    determine if current monitoring is functioning as intended.\nCG         04-006   Weaknesses associated with the UNIX system software change control                                    05-010\n                    process.\nCG         04-007   Outdated and incomplete security plans, and C&As not performed for                                    05-013\n                    the ---- -- --- -- --- ------- ------ -- ----- ----- - ------- - ------ --- ---- - ---\n                    -------- -- ---- ---- ------ - - --- -- -- -- .\nCG         04-008   Service continuity weaknesses for the ----- ------------- -------------                               05-009\n                    ---------- - - ------ including outdated Business Continuity Contingency\n                    Plan (BCCP), lack of disaster recovery procedure details, an off-site\n                    storage location in close proximity to the data center, and lack of\n                    BCCP testing.\nCG         04-009   --------------------------- ------- and CMPlus interface errors are not                               05-026\n                    automatically communicated back to the corresponding CMPlus\n                    unit/user.\n\n               Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                              55\n\x0c                                                                                                                            Appendix C\n\n                                           Department of Homeland Security\n                                       Information Technology Management Letter\n                                                  September 30, 2005\n\n                                                                                                                         Disposition\nComponent NFR No. Description                                                                                      Closed       Repeat\n\nCG         04-010   The security plans for the ------- -- --- -- -- --- --- --- - -- - ---- - --- -----              X\n                    -------------- -- ----- are not in compliance with criteria.\nCG         04-011   CMPlus passwords do not automatically expire, CMPlus accounts are                                            05-023\n                    not locked out after successive invalid login attempts, and a\n                    documented CMPlus system security plan does not exist.\nCG         04-012   The Operations Service Center (OSC) has not implemented a disaster                                           05-022\n                    recovery plan.\nCG         04-013   Entity wide security program planning is not in place for the Personnel                                      05-005\n                    Service Center (PSC).\nCG         04-014                                                                                                                05-001\n                    Weaknesses exist regarding PSC service continuity and resource\n                    classifications.\nCG         04-015   Weaknesses were identified at PSC relating to weak password settings,                                    05-003, 05-004,\n                    lack of monitoring of access lists or changes to security profiles, and                                      05-008\n                    lack of policies for monitoring operating system software.\nCG         04-016   Documented procedures do not exist at PSC to enforce segregation of                              X\n                    duties principles.\nCG         04-017   Database Scanner identified vulnerabilities on the Supply Center                                             05-025\n                    Computer Replacement (SCCR) database supporting---- --- - .\nCG         04-018   The Enterprise Security Manager (ESM) tool identified high and                                               05-024\n                    medium level vulnerabilities on three hosts supporting ---------\nCG         04-019   Database Scanner identified vulnerabilities on the --------------------                                      05-016\n                    -- --- - --- ---- ---- -- - - --- - ----\nCG         04-020   ESM identified high and medium level vulnerabilities on three hosts                                          05-017\n                    supporting --- ----- -- -- ---- - -- --- ----\nCG         04-021   Change control weaknesses exist at the PSC, including lack of                                                05-002\n                    documented test plans, test results, and software modification audit\n                    trails.\nCG         04-022   Several network-based vulnerabilities were identified on the external                            X\n                    Information Technology resources for Coast Guard.\nCG         04-023   Weaknesses were self-identified by Coast Guard on two hosts                                      X\n                    supporting the ------- ----- - --- - ----- - --- - -- - - -- - -- --- -- --- -- ------ -----\n                    ----- -- --- and were not subsequently addressed.\nCG         04-024   Implementation and management oversight of Coast Guard\xe2\x80\x99s                                                     05-027\n                    information security program remains fragmented.\nCG         04-025   Interface controls do not ensure that record counts match as data is                             X\n                    transferred from -------- into CheckFree.\nCG         04-026   Three of the four Database Administrators at ------ ---- also have                               X\n                    System Administrator rights and responsibilities.\nCG         04-063   Undelivered Orders \xe2\x80\x93 Transaction Codes: A report allowing users to                                           05-021\n                    review and manually re-establish obligation was not implemented as\n                    well as the manual review process. (prior year Financial Notice of\n                    Finding and Recommendation)\n\n\nCONS       04-01    Excessive - --- ----- -- -- --- -------- - ---- --- ------ - - --------------- system                        05-01\n                    privileges were granted and a documented process does not exist to\n                    notify -- - -- application administrators of user termination or transfer\n               Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                                 56\n\x0c                                                                                                                           Appendix C\n\n                                           Department of Homeland Security\n                                       Information Technology Management Letter\n                                                  September 30, 2005\n\n                                                                                                                        Disposition\nComponent NFR No. Description                                                                                     Closed       Repeat\n\n                    for timely removal of system access.\n\nCONS       04-02    The interagency agreement between DHS and -- ----- --- -- --- - - --- - --                      X\n                    -- ------- --- ---- ----- - - -- -- ---- ---- --- ---- -- ------ - - does not describe\n                    the information security controls that need to be implemented and\n                    managed by the data owner (DHS) or the system operator (Treasury).\nCONS       04-03    Lack of compliance with FISMA in the areas of access controls, entity-                                      05-09\n                    wide security program planning and management, system software,\n                    segregation of duties, and service continuity.\n\n\nEPR        04-11    Policies and procedures do not exist to perform period review of                                            05-01\n                    --- - ---- -- --- -- --- - --- - -- -- -- - -- --- -- --- -- --- --- ----- ---- -- --- user\n                    access lists.\nEPR        04-16    -- -- ----- ---- --------- --- - -- -- -- - -- --- -- ---- - - -- - - - -- - ------ ---                     05-02\n                    access controls do not appropriately suspend a user\xe2\x80\x99s session after ten\n                    minutes of activity and user are not locked out after three unsuccessful\n                    logon attempts.\nEPR        04-17    The----- ------ ---- - -------- ---- had multiple weaknesses including lack                                 05-03\n                    of raised floors, production and test servers in close proximity, lack of\n                    review of physical user access lists, and no procedures to periodically\n                    change keypad combinations.\nEPR        04-18    Lack of consistent policies or processes for ensuring that all general                                      05-04\n                    support system and application access, including --------- , is timely\n                    removed for terminated employees.\nEPR        04-19                                                                                                                05-05\n                    Seven critical systems do not have a C&A.\nEPR        04-20    No documented process for generating or communicating new or reset                                          05-06\n                    ----- -- passwords to users.\nEPR        04-21                                                                                                    X\n                    -------- Table audit trail data is not reviewed periodically.\nEPR        04-22                                                                                                                05-07\n                    Insufficient documentation exists to fully explain -------- functions and\n                    user access capabilities associated with those functions.\nEPR        04-23    The ESM tool identified several high and medium level technical                                             05-10\n                    vulnerabilities on the ----- --- ------\nEPR        04-24    Oracle databases, including the ----- -- production and development                                         05-11\n                    databases, contained weak or default passwords.\nEPR        04-25    The ------- - tool identified 88 technical vulnerabilities on 13 different                                  05-12\n                    FEMA hosts, the majority of which related to missing patches.\nEPR        04-28    The Intra-governmental Payment and Collection System (IPAC)                                     X\n                    provides for interagency billings and payments for supplies and\n                    services. Of five IPAC User Request Forms selected for testing, we\n                    noted one form on which the employee\xe2\x80\x99s access was not specifically\n                    indicated.\nEPR        04-32    The Continuity of Operations Plans (COOP) for ----- -- -- -------- -- are                                   05-08\n                    in draft.\nEPR        04-35    ------- ------ - has not documented interagency agreements for alternate                        X\n\n               Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                                 57\n\x0c                                                                                                                   Appendix C\n\n                                         Department of Homeland Security\n                                     Information Technology Management Letter\n                                                September 30, 2005\n\n                                                                                                                Disposition\nComponent NFR No. Description                                                                             Closed       Repeat\n\n                    data processing and telecommunication facilities in the event of a\n                    disaster.\nEPR        04-39    FEMA has not prioritized its critical data and operations, emergency                                05-09\n                    processing priorities and procedures have not been documented, and all\n                    resources supporting critical operations have not been identified.\n\n\nLTD        04-01    Incident response policies and procedures are not in place and/or                       X\n                    finalized for the FLETC--- - -- - -- --- ------------------- -- -------- .\n\n\nSLGCP      04-05    A system owner and security manager has not been identified to track                    X\n                    background investigations and personnel clearances.\n\nSLGCP      04-06    A Service Level Agreement (SLA) is not in place with the third party                    X\n                    hosting the Data Collection Toolkit (DCT).\nSLGCP      04-07    A documented security awareness training program is not in place.                       X\n\n\nSLGCP      04-08    Segregation of duties is not properly enforced and documented policies                             2005-12\n                    outlining segregation of duties controls or procedures do not exist.\n\nSLGCP      04-09    Access privileges and profiles for the --- - -- -- -------- --- - -- - --------- --     X\n                    -- -- --- --------- ----- ---------- internal users are not properly\n                    administered, resulting in an unnecessary number of users with the\n                    ability to update the vendor table.\nSLGCP      04-10    Application user accounts are not removed in a timely manner after                                 2005-13\n                    user separation.\n\nSLGCP      04-22    A C&A does not exist for the ------------ --------- -- -----                            X\n\n\nSLGCP      04-25    The reconciliation process for financial transactions that occurred                     X\n                    between ----- -- and the-- - - - - ---- -- ----- --- - ----- was not fully\n                    implemented throughout the fiscal year.\nSLGCP      04-26    The ----- - - --- ------- -- -- ----- captured transactions but did not capture         X\n                    user activity for three months of the fiscal year.\n\n\nTSA        04-01    Segregation of duties is not properly enforced in the -------                           X\n                    ----- ------- - within---------\nTSA        04-02    Weaknesses in -------- access controls, network security, and system                    X\n                    security controls.\nTSA        04-03    System financial integrity issues identified in the ------ application.                 X\nTSA        04-04    Inaccuracies exist within TSA personnel records which addresses both                                05-12\n                    separated employee issue and other erroneous personnel records\n\n\n\n\n               Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                                            58\n\x0c                                                                                    Appendix D\n\n                        Department of Homeland Security\n                    Information Technology Management Letter\n                               September 30, 2005\n\n\n\n\n                                  Appendix D\n\nManagement Response to Draft IT Management Letter\n\n\n\n\n Information Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                       59\n\x0c                                                                                   Appendix D\n\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2005\n\n\n\n\nInformation Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      60\n\x0c                                                                                   Appendix D\n\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2005\n\n\n\n\nInformation Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      61\n\x0c                                                                                   Appendix D\n\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2005\n\n\n\n\nInformation Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      62\n\x0c                                                                                   Appendix D\n\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2005\n\n\n\n\nInformation Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      63\n\x0c                                                                                   Appendix D\n\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2005\n\n\n\n\nInformation Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      64\n\x0c                                                                                   Appendix D\n\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2005\n\n\n\n\nInformation Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      65\n\x0c                                                                                   Appendix D\n\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2005\n\n\n\n\nInformation Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      66\n\x0c                                                                                   Appendix D\n\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2005\n\n\n\n\nInformation Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      67\n\x0c                                                                                   Appendix D\n\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2005\n\n\n\n\nInformation Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      68\n\x0c                                                                                   Appendix D\n\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2005\n\n\n\n\nInformation Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      69\n\x0c                                                                                   Appendix D\n\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2005\n\n\n\n\nInformation Technology Management Letter for the DHS FY 2005 Financial Statement Audit\n                                      70\n\x0c                   Report Distribution\n\n                   Department of Homeland Security\n\n                   Secretary\n                   Deputy Secretary\n                   General Counsel\n                   Chief of Staff\n                   Deputy Chief of Staff\n                   Executive Secretary\n                   Under Secretary, Management\n                   Chief Information Officer\n                   Chief Financial Officer\n                   Chief Information Security Officer\n                   Assistant Secretary, Public Affairs\n                   Assistant Secretary, Legislative and Intergovernmental Affairs\n                   Assistant Secretary, Policy\n                   DHS Audit Liaison\n                   Chief Information Officer, Audit Liaison\n\n                   Office of Management and Budget\n\n                   Chief, Homeland Security Branch\n                   DHS OIG Budget Examiner\n\n                   Congress\n\n                   Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nInformation Technology Management Letter for the FY 2005 DHS Financial Statement Audit\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG\nweb site at www.dhs.gov/oig.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind\nof criminal or noncriminal misconduct relative to department programs or\noperations, call the OIG Hotline at 1-800-323-8603; write to DHS Office of\nInspector General/MAIL STOP 2600, Attention: Office of Investigations \xe2\x80\x93\nHotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528; fax\nthe complaint to (202) 254-4292; or email DHSOIGHOTLINE@dhs.gov. The\nOIG seeks to protect the identity of each writer and caller.\n\x0c'